PERSONAL DATA PROCESSING POLICY

We recommend that you carefully read this personal data processing policy, which governs how we process your personal data provided in connection with:

(i) visiting the shopping centre Bory Mall at Lamač 6780, 841 03 Bratislava (hereinafter the "Centre"),

(ii) using services provided at the Centre,

(iii) participation in consumer competitions and marketing events,

(iv) orders and use of gift cards,

(v) business relationships with tenants and suppliers.

These policies also apply to the processing of personal data in connection with visits to the website www.borymall.sk (hereinafter the "Website").

Your privacy is important to us, which is why we strive to ensure a high level of protection of your personal data and transparency in their processing in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "GDPR") and Act No. 18/2018 Coll. on the Protection of Personal Data.

In this document you will find information on how we process your personal data, for what purposes, what rights you have in connection with their processing, and how you can exercise these rights.

Where personal data is processed through cookies and similar technologies on the Website, details (including the current list of cookies, providers, retention periods, information on any transfers and consent settings) are set out in a separate document, Cookie Policy, on the Website.

1. Introductory information on the processing of your personal data

Bory Mall s.r.o., with registered office at Lamač 6780, 841 03 Bratislava, Company ID: 36 824 763, and Bory Mall Management, j.s.a., with registered office at Lamač 6780, 841 03 Bratislava, Company ID: 36 721 735, act as joint controllers within the meaning of personal data protection legislation, i.e. they are entities that jointly determine the purposes and means of processing your personal data ("Joint Controllers").

The Joint Controllers have entered into an agreement pursuant to Art. 26 GDPR, in which they have transparently allocated responsibility for fulfilling individual obligations arising from the GDPR. The essence of this agreement is in particular that:

- The Joint Controllers fulfil the information obligation towards data subjects under Articles 13 and 14 GDPR through this personal data processing policy, which is published on the Website and/or made physically available in the Centre and at events organised there.

- Bory Mall Management, on behalf of the Joint Controllers, prepares drafts of this policy, updates it on an ongoing basis according to the actual state of processing, and technically ensures its publication and availability.

- Bory Mall handles communication with the supervisory authority in matters relating to joint processing purposes.

- A data subject may exercise their rights under the GDPR and the Act with any of the Joint Controllers; each request will be promptly forwarded to Bory Mall Management, which handles the complete operational processing of data subjects' requests on behalf of the Joint Controllers.

This document describes how we process your personal data that we obtain in connection with visits to the Centre, use of services at the Centre, participation in consumer competitions and marketing events, visits to the Website, gift card orders, as well as in connection with business relationships with suppliers and tenants.

We process your personal data primarily for the purposes of ensuring security and protection of persons and property, providing services to Centre visitors, organising consumer competitions, marketing communications (including newsletters), operating the Website, and managing contractual business relationships. More detailed information on individual purposes, categories and scope of processed personal data, legal bases, retention periods for your data, and your rights can be found in the following sections of this policy.

We obtain your personal data directly from you, in particular when visiting and using services at the Centre, participating in consumer competitions and marketing events, placing gift card orders, through forms and communication (by phone, email or in person), through the CCTV system installed at the Centre for the protection of persons and property, and through the Website (cookies and technical logs). We usually obtain personal data about representatives of tenants and suppliers from these entities to the extent necessary for communication and management of contractual business relationships.

If you have any questions regarding the process and conditions of processing your personal data, please do not hesitate to contact us using the method specified in this policy.

2. Basic conditions for processing your personal data

Purpose of processing	Categories/scope of processed personal data	Data subjects	Legal basis	Retention period
Security – CCTV system	video recordings, licence plate number, entry/exit time, photographs	visitors, employees, tenants, suppliers	legitimate interest (Art. 6(1)(f) GDPR)	15 days (standard); in case of incidents until the incident is resolved
Parking – parking records and parking verification	vehicle licence plate number; parking ticket (only if the licence plate number cannot be recognised); data necessary for parking records and payment of parking fees (to the extent necessary to calculate and pay parking fees)	drivers / visitors using parking at the Centre	performance of a contract (Art. 6(1)(b) GDPR) – provision of parking and payment of parking fees; legitimate interest (Art. 6(1)(f) GDPR) – prevention of misuse and handling of complaints/incidents	1 month
Security – damage incidents	identification and contact data necessary to verify identity and communicate (usually name, surname, address, contact details, identification data from identity documents); data necessary to assert insurance and legal claims (e.g. data from driving licence, insurance documents, account number); image and audio recordings documenting the damage incident (photo/video)	visitors, employees, tenants, suppliers	legal obligation (Art. 6(1)(c) GDPR – accounting/insurance regulations); legitimate interest (Art. 6(1)(f) GDPR)	10 years
Security – lost and found	name, surname, ID card number only in exceptional cases related to identity verification	Centre visitors	legitimate interest (Art. 6(1)(f) GDPR)	6 months
Customer services – wheelchair rental	name, surname, ID card number, phone	Centre visitors	performance of a contract (Art. 6(1)(b) GDPR); legitimate interest (Art. 6(1)(f) GDPR)	until return + 30 days
Consumer competitions	name, address, date of birth, email, phone; possibly photographs, video (if consent is given)	consumer competition participants	performance of a contract (Art. 6(1)(b) GDPR); consent (Art. 6(1)(a) GDPR) – for photo/video; legal obligation (Art. 6(1)(c) GDPR) – archiving of accounting documents	duration of competition + 5 years
Events and marketing	photographs, videos	event participants, Centre visitors	legitimate interest (Art. 6(1)(f) GDPR) – reportage footage; consent (Art. 6(1)(a) GDPR) – individual portraits	internal storage: 2 to 3 years for active marketing purposes, then 3 years in archive; content published on social networks according to platform rules
Website – contact form (communication)	name, email, message content	persons who send a message via the contact form through the Website functionality	legitimate interest (Art. 6(1)(f) GDPR) – handling enquiries and communication	until communication is closed + 12 months
Newsletter and news distribution	email address (and possibly name and surname if provided by the data subject)	newsletter and news subscribers	consent (Art. 6(1)(a) GDPR and Section 116(3) of Act No. 452/2021 Coll. on Electronic Communications)	until consent is withdrawn
Website – technical logs	IP address, technical logs	Website visitors	legitimate interest (Art. 6(1)(f) GDPR) – secure operation of the Website	max. 13 months
Website – cookies	cookies (necessary / analytical / marketing)	Website visitors	legitimate interest (Art. 6(1)(f) GDPR) – necessary cookies; consent (Art. 6(1)(a) GDPR) – analytical and marketing cookies	6–24 months according to the current list of cookies and their retention periods (see Cookie Policy on the Website)
Gift card orders	name, address, email, phone, billing details; token (gift card identification number); possibly personal data provided for identity verification when loading amounts from EUR 150 to EUR 250.	customers and gift card holders	performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR) – accounting	10 years
Business relationships – tenants and suppliers	identification, contact data, in some cases financial data	suppliers, tenants, their representatives	performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR) – accounting	duration of contract + 10 years
Wi-Fi network operation at the Centre – connection logs	MAC address, assigned IP address (private), connection/disconnection time	Wi-Fi network users at the Centre	legitimate interest (Art. 6(1)(f) GDPR) – secure operation of the Wi-Fi network, prevention of misuse and resolution of incidents/technical issues	1 month

We process your personal data only to the minimum extent necessary for the purposes specified in this policy.

If we process your data on the basis of consent, you may withdraw this consent at any time (e.g. for the newsletter also via the unsubscribe link) by sending an email to: GDPR@borymall.sk. Withdrawal of consent does not affect the lawfulness of processing before its withdrawal. For cookies, you can also manage consent through cookie settings on the Website; details are set out in the Cookie Policy on the Website.

Regarding our legitimate interests: We process CCTV recordings, data processing in connection with lost and found items, resolution of damage incidents, reportage footage, and processing of necessary technical Website logs on the basis of our legitimate interest, which is ensuring the security of persons, protection of property, resolution of related claims, and ensuring secure operation of the Website. Before commencing processing, we assessed the proportionality of processing. You have the right to object to this processing at any time.

Your personal data will not be used for automated decision-making or profiling.

3. Who may have access to your personal data?

Sharing your personal data with third parties

We also use third-party services to process your personal data, which provide us with technical, security, marketing, organisational or other professional support. Depending on the circumstances, these third parties may act as processors or as independent controllers.

If a third party acts as a processor, it processes personal data exclusively in accordance with the instructions of the Joint Controllers, for the purposes set out in this Policy and to the extent necessary to provide the relevant service. Processing of personal data by a processor is only permitted on the basis of a written data processing agreement that meets the requirements of Article 28 GDPR and Section 34 of the Act.

Personal data may be disclosed to the following categories of recipients to the necessary extent:

security service providers (e.g. private security) and related technical support suppliers, in particular in connection with security processes at the Centre (including the CCTV system),
insurance companies, legal representatives and other entities involved in resolving damage incidents and asserting insurance or other legal claims,
police, courts and other public authorities, where disclosure is required by law or is necessary in connection with an incident, damage event, or assertion/defence of legal claims,
web hosting, IT infrastructure and technical support providers who ensure the operation, maintenance and security of the Website and related systems,
providers of cookie management services and related technologies used on the Website (details including a list of providers are set out in the Cookie Policy on the Website),
email and communication service providers who handle the distribution of newsletters and marketing communications,
marketing and event agencies and production suppliers (including photographers/videographers) who participate in organising consumer competitions and events and in creating and processing marketing content,
payment service providers and banking institutions, where necessary for processing payments (in particular for gift card orders),
external accountants, auditors, tax and other professional advisors, where disclosure is necessary to fulfil legal obligations or to assert/defend legal claims,
providers of Wi-Fi network management and operation services at the Centre and persons with access to the administrative interface to the extent necessary for operation and support of the Wi-Fi network,
operator of the Giftify SA gift card system (in connection with issuing and operating gift cards under the GTC) and merchants in the closed network when accepting gift card payments.

The gift card system under the GTC is operated by Giftify SA, Cantersteen 47, 1000 Brussels, Belgium. Under the GTC, the contract for the purchase of a gift card is a purchase contract concluded between the customer and the operator of the gift card system, and the privacy policy is available at loyaltek.com. When using a gift card in the closed network of outlets (merchants), transaction-related data is also processed by the relevant merchant.

If the disclosure of personal data involves a transfer to third countries outside the European Union or the European Economic Area, we proceed in accordance with the rules set out in the section "Transfer of personal data to third countries" of this Policy and, for cookies, also in accordance with the Cookie Policy on the Website.

If you wish to obtain an overview of our processors, you can contact us at GDPR@borymall.sk; in justified cases we will provide you with the current list of processors to an extent proportionate to the purpose of the request.

4. Transfer of personal data to third countries

We usually process your personal data within the EU/EEA.

In some cases, however, personal data may be transferred to third countries, in particular in connection with the use of third-party platforms and tools, e.g. in consumer competitions, marketing, newsletter distribution and use of social networks, as well as with certain cookies and similar technologies used on the Website.

In such cases, we ensure appropriate safeguards in accordance with the GDPR (in particular standard contractual clauses or other mechanisms under the GDPR, where applicable). In the case of transfers based on standard contractual clauses, you have the right to request a copy of the relevant contractual safeguards (except for parts that may contain trade secrets or other protected information).

More detailed information on data processing through cookies, including any transfers to third countries and a list of relevant providers, is set out in a separate document, the Cookie Policy on the Website.

5. What are your rights?

The GDPR grants you a significant range of rights, which we respect and will enable you to exercise in full. In connection with the processing of your personal data, you have in particular the following rights:

right to information and notices relating to processing, in a concise, transparent, intelligible and easily accessible form, using clear and plain language,
right of access to your personal data (including the right to obtain confirmation as to whether we process your personal data and, if so, to access them and obtain further information about processing),
right to rectification of your personal data if they are inaccurate, and to have incomplete personal data completed,
right to erasure of your personal data (the so-called "right to be forgotten") in cases provided for by the GDPR,
right to restriction of processing of your personal data in cases provided for by the GDPR,
right to data portability for data you have provided to us that we process on the basis of your consent or a contract; upon your request we will provide this data in a commonly used and machine-readable format or transfer it directly to another controller where technically feasible,
right to object to the processing of your personal data where processing is based on legitimate interest; in such case we will cease processing your personal data unless we demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or grounds for asserting or defending legal claims,
right to object to processing for direct marketing purposes; if you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes,
right to withdraw consent at any time where we process personal data on the basis of your consent; withdrawal of consent does not affect the lawfulness of processing before its withdrawal,
right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR,
right not to be subject to automated individual decision-making including profiling where such processing would be carried out; in this policy we state that your personal data will not be used for automated decision-making or profiling.

If you exercise the right to object to the processing of your personal data, we have the right to assess the validity of the objection, in particular with regard to the existence and continuation of the legal basis for processing personal data and for the purposes of asserting or defending legal claims.

6. Where can you exercise your rights?
For matters relating to personal data processing and exercising your rights under the GDPR, you may contact any of the Joint Controllers at any time, in particular:

by sending an email to: GDPR@borymall.sk; or
by sending a letter to the postal address: Bory Mall Management, j.s.a., Lamač 6780, 841 03 Bratislava, with the note "GDPR".

To protect your personal data, we may require reasonable verification of your identity when handling your request (in particular for requests for access to data or copies of records), in a manner proportionate to the nature of the request.

It is our aim to answer any of your questions and resolve any complaint relating to the processing of your personal data. However, if you feel that we have not resolved your complaint, you have the right to lodge a complaint with the Office for Personal Data Protection of the Slovak Republic, with registered office at: Námestie 1. májja 18, 811 06 Bratislava, website: www.dataprotection.gov.sk, or with the data protection authority in the Member State of your habitual residence or place of work.

These personal data processing rules may be supplemented or amended unilaterally at any time. The current version of this policy is published on the Website.

As of 1 June 2026

Bory Mall Management, j.s.a. on behalf of the Joint Controllers

PERSONAL DATA PROCESSING POLICY

BASIC INFORMATION

ABOUT BORY

CONTACT

FOLLOW US

	SHOPPING PASSAGE	GOLEM CLUB	BILLA	BUPPI DETSKÝ SVET	TATUUM – soon!
Monday	10:00 - 21:00	6:00 - 22:00	8:00 - 22:00	9:00 - 20:00	10:00 - 21:00
Tuesday	10:00 - 21:00	6:00 - 22:00	8:00 - 22:00	9:00 - 20:00	10:00 - 21:00
Wednesday	10:00 - 21:00	6:00 - 22:00	8:00 - 22:00	9:00 - 20:00	10:00 - 21:00
Thursday	10:00 - 21:00	6:00 - 22:00	8:00 - 22:00	9:00 - 20:00	10:00 - 21:00
Friday	10:00 - 21:00	6:00 - 22:00	8:00 - 22:00	9:00 - 20:00	10:00 - 21:00
Saturday	9:00 - 21:00	8:00 - 22:00	8:00 - 22:00	9:00 - 20:00	9:00 - 21:00
Sunday	9:00 - 21:00	8:00 - 22:00	8:00 - 21:00	9:00 - 20:00	9:00 - 21:00