Hudson Privilege Scheme


This Privacy Policy (the “Privacy Policy”), together with the Terms of Conditions , governs your relationship with Hudson Holdings Limited and the subsidiaries that form part of the Hudson Group with regards to your membership to the Hudson Privilege Discount Scheme (“the Privilege Scheme”).

For you to sign up and be a Member of the Privilege Scheme, we collect and process some of your personal information.

We are aware that personal data is a sensitive topic and we are committed to respecting your privacy and processing your data lawfully, fairly, transparently and in accordance with your rights.

We have tried to keep this policy as simple as possible. However, if any part is unclear to you, contact us at [email protected] and we will respond to your query in due time clarifying any doubt you may have.


The Data Controller (“the Controller”), i.e. the entity that determines the purposes and means of data processing, is Hudson Holdings Limited, a company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at [email protected] or +356 2147 2790.

The Data Processor (“the Processor”), i.e. the entity that processes the data on the behalf of the Controller, is Think Design Limited, a company incorporated in Malta with offices at Ferralco Buildings, Brewery Street, Mriehel, Birkirkara, BKR3000, Malta. The Processor is reachable at [email protected] or +356 21446499.

The relationship between the Controller and the Processor has been formalized by means of a Data Processing Agreement, pursuant to art. 28.3 GDPR.

For the purposes of this Privacy Policy, you are the “Data Subject”.


3.1     In administering the Privilege Scheme, we collect the following information about you (“Member data”):

(i)       Title;

(ii)      Name and last name;

(iii)      Date of birth;

(iv)     ID Card/Passport Number;

(v)      Town of residence;

(vi)     Full address (Only if you apply for a physical card);

(vii)     Mobile number;

(viii)    E-mail address;

(ix)     Gender (optional);

3.2     When you make a purchase from one of the Outlets and use your membership card or the App, the information below is collected (“Purchase data”):

(x)      Date, time and place of the purchase;

(xi)     Items purchased and total amount of the purchase.


Member data, as described in Clause 3 above, is only collected for specific, explicitly stated and legitimate purposes and it is processed according to the legal basis identified below.

Contract: as foreseen by Art. 6.1 b) GDPR: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

The contract hereby refers to the Terms and Conditions governing the Privilege scheme that the Member has agreed to and signed.

Categories of Personal Data

Purpose(s) for collecting

Legal basis

Member data


Address properly the communications to be sent to you.


Name and last name

Identify you as a member of the scheme.


Date of birth

Verify if you have the minimum age required to be a member of the scheme.


ID Card/Passport Number

Verify your identity while purchasing in store.


Town of residence

Retail analysis.


Full Address

Send the physical card by post (if you want one).


Mobile number

To be able to contact you to ensure the efficient running of the Privilege Scheme, including the accrual and redemption of Points, as specified in the Terms and Conditions.


E-mail address

To be able to contact you to ensure the efficient running of the Privilege Scheme, including the accrual and redemption of Points, as specified in the Terms and Conditions.


Gender (optional)

Address marketing communications in a proper manner.


Purchase data (only if privilege card/APP is used)

Date, time and place of the purchase

For accounting and audit purposes.


Object and amount of the purchase

For accounting and audit purposes.




5.1     Your personal data may be shared between the undertakings forming part of the Hudson Group, pursuant to Recital 48 GDPR. Hudson Holdings LTD has legitimate interest in transferring personal information inside the group for internal administrative purposes.

5.2     Your personal data may be also shared between the Controller and the Processor.

5.3     Your personal data is never transferred outside of the European Economic Area (EEA) or to international organizations.

5.4     We do not sell, trade or otherwise transfer any personal information to third parties.

5.5     We will release your data if we are obliged to do so to comply with any law, regulation or court order.


Personal data is not kept for a period longer than is necessary, having regard to the purposes for which they are processed.

Retention periods for each category of data are identified below.

Categories of personal data

Retention period

Member data

For the duration of the membership to the Privilege Scheme.

Purchase data

Data is retained permanently, but it is anonymised once the data subject opts out from the Privilege scheme.



7.1 As data subject, you have extensive rights when it comes to the processing of your personal data.

Your rights, listed below, may be enforced by contacting the Controller or the Processor by email, by post or by phone using the contact details provided above.

You are guaranteed a response within 30 days month from the date of receipt of your enquiry.

If your request is particularly complex or we need to process an extraordinary number of simultaneous requests, our reply may take longer but will be provided no later than 2 months from the date of receipt of your enquiry. This reply will also include details explaining the reason for the delay in our response.

We will provide the information in digital format or if preferred in hard copy format.

Such requests will not incur any fee, except when:

(i)       Your requests are manifestly unfounded or excessive, in particular because of their repetitive character. In this case we will charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested. In this case, we may also refuse to act on the request after having explained our position;

(ii)      You request the information on paper and posted. In that case, we will charge you the postage fees.

Should we have reasonable doubts concerning your identity when making the request above, we may require additional information, necessary to confirm your identity.

Your rights are:

7.2     Access

You may obtain confirmation from us as to whether or not your personal data is being processed including:

(i)       the purposes of the processing;

(ii)      the categories of personal data concerned;

(iii)      the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(iv)     where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(v)      the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(vi)     the right to lodge a complaint with the supervisory authority;

(vii)     the existence of automated decision-making, including profiling.

7.3     Rectification

In case your data is inaccurate, incomplete or out-of-date, you have the right to ask us to rectify it.

7.4     Deletion (“the right to be forgotten”)

You have the right to have your personal data erased in case:

(i)       the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

(ii)      You have withdrawn consent to process your data and there is no other legal basis legitimating its processing;

(iii)      You have objected to processing your data and there is no other legal basis legitimating its processing;

(iv)      Your personal data has been unlawfully processed;

(v)      Your personal data has to be erased in order to ensure compliance with any legal obligations arising from any legislation enacted within the EU or any member states.

7.5     Restriction

You have the right to request a restriction on the processing of your data in case:

(i)       You contest the accuracy of your personal data, for a period enabling us to verify the accuracy of such data;       

(ii)      The processing of your data is unlawful, and you oppose the erasure of your personal data and request the restriction of their use instead;

(iii)      We no longer need the personal data for the purposes of the processing;

(iv)     We no longer need your data, but we are required by you to retain the data for the establishment, exercise or defence of legal claims;

(v)      You have objected to processing (as specified in detail below), pending the verification whether our legitimate grounds override yours.

When you restrict processing, your personal data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

In case you have obtained restriction of processing as per above, we will inform you before the restriction of processing is lifted.

7.6     Data portability

You have the right to receive the personal data about yourself that you submitted to us when subscribing to the Privilege scheme in a structured, commonly used and machine-readable format, and you have the right to transmit those data to a Controller other than Hudson without hindrance from our end.

Where technically feasible, in exercising your right to data portability you have the right to have your personal data transmitted directly from Hudson to another Controller.

7.7     Complaint

In addition to the above, and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent supervisory authority if you consider that your personal data has been processed unlawfully. The competent supervisory authority is the Information and Data Protection Commission with headquarters at Floor 2, Airways House, Triq Il - Kbira, Tas-Sliema SLM 1549, Malta.


The Controller and the Processor take reasonable and appropriate administrative, technical and organizational measures to protect the confidentiality, integrity and availability of your Personal Data, whether in electronic or tangible, hard copy form.

Any breach that may involve your Personal Data will be notified to the supervisory authority within 72 hours of becoming aware of it.

Should the breach result in a high risk of adversely affecting your rights and freedom, we will notify it to you without undue delay.


The law applicable to the processing activities, and to this policy, shall be:

-         Until 25 May 2018, the Data Protection Act, Chapter 440 of the Laws of Malta and other subsidiary legislation;

-         After 25 May 2018, Regulation EU 2016/679 (“GDPR”).

-         Any other Maltese legislation that may be in force from time to time.