LEGOLAND® Privacy and Cookie Policies
OVERVIEW of this Policy and Commitments to Privacy at Merlin
At Merlin ("we", "us", "our"), we regularly collect and use personal data about consumers who visit our attractions or hotels, or browse our websites. Personal data is any information that can used to identify you as an individual. The protection of your personal data is very important to us, and we understand our responsibilities to handle your personal data with care, to keep it secure and to comply with legal requirements.
Please read this Policy carefully. It provides important information about how we use personal data and explains your legal rights. This Policy is not intended to override the terms of any contract that you have with us (for example, Wi-Fi terms and conditions or annual pass terms) or any rights you might have available under applicable data protection laws.
We will make changes to this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will make sure that you are aware of any significant changes by sending an email message to the email address you most recently provided to us or by posting a notice on each relevant website so that you are aware of the impact to the data processing activities before you continue to engage. We encourage you to regularly check back and review this policy so that you will always know what information we collect, how we use it, and who we share it with.
- WHO is responsible for looking after your personal data?
- WHAT personal data do we collect?
- WHEN do we collect your personal data?
- What PURPOSES do we USE your personal data for and what is the LEGAL BASIS?
- Who do we SHARE your personal data with?
- Direct Marketing.
- International Transfers.
- How long do we keep your personal data?
- What are your rights?
- Contact and complaints.
- APPENDIX 1 - LEGAL BASIS FOR PROCESSING.
- APPENDIX 2 - GLOSSARY.
1. WHO is responsible for looking after your personal data?
Merlin Entertainments plc("Merlin") is a British-based entertainment company, with a registered office at Link House, 25 West Street, Poole, Dorset, BH15 1LD, which operates over 100 attractions, and over 20 hotels and holiday villages in 25 countries. Our business is about creating unique, memorable and rewarding visitor experiences. A list of our attractions and a note of the companies that make up the Merlin group which help to achieve this is available at ("Merlin Group").
2. WHAT personal data do we collect?
In relation to visitors to this site ("Visitors"), we collect the following data:
- Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access.
3. WHEN do we collect your personal data?
- We will collect information from you when you visit this site
4. What PURPOSES do we USE your personal data for and what is the LEGAL BASIS?
We will use your personal data to:
- ensure that content from our site is presented in the most effective manner for you and for your computer.
- allow you to participate in interactive features of our service, when you choose to do so.
We have to establish a legal ground to use your personal data, so we will make sure that we only use your personal data for the purposes set out in this Section 4 and in Appendix 1 where we are satisfied that:
- our use of your personal data is necessary to support 'Legitimate Interests' that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is always carried out in a way that is proportionate, and that respects your privacy rights. Please see Appendix 1 for more details about our Legitimate Interests.
5. Who do we SHARE your personal data with?
To help manage our business and deliver services, these third parties may from time to time need to have access to your personal data, and include:
- service providers, who help manage our IT and this site, in particular by Isobar.
- our regulators, which include the ICO, as well as other regulators and law enforcement agencies in the E.U. and around the world,
- solicitors and other professional services firms (including our auditors).
6. International Transfers
Some entities in the Merlin Group, with whom we share your data, and our service providers who have access to your personal data, are located outside the European Union. We may also share your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests, in particular we will either:
- only transfer your personal data to countries which are recognised as providing an adequate level of legal protection in accordance with Article 45 of the GDPR; or
- ensure that transfers outside the European Union are subject to an appropriate legal safeguard - for example, the EU Model Clauses pursuant to Article 46(2) of the GDPR and/or the EU - U.S. Privacy Shield for the protection of personal data transferred to the US (for further details, please see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en).
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 11 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).
'Automated Decision Making' refers to a decision which is taken through the automated processing of your personal data alone - this means processing using, for example, software code or an algorithm, which does not involve any human intervention..
8. How long do we keep your personal data?
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy
Where we are required to do so to meet legal, regulatory, tax or accounting requirements, we will retain your personal data for longer periods of time, but only where permitted to do so, including so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a possibility of legal action relating to your personal data or dealings.
We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required and we do not have a legal requirement to retain it, we will ensure it is either securely deleted or stored in a way such that it is anonymised and the Personal Data is no longer used by the business.
9. What are your rights?
You have a number of rights in relation to your personal data. In summary, you have the right to request: access to your data; rectification of any mistakes in our files; erasure of records where no longer required; restriction on the processing of your data; objection to the processing of your data; data portability; and various information in relation to any automated decision making and profiling or the basis for international transfers. You also have the right to complain to your supervisory authority (further details of which are set out in Section 11 below). These are defined in more detail as follows:
WHAT THIS MEANS
You can ask us to:
You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
Erasure / Right to be Forgotten
You can ask us to erase your personal data, but only where:
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims, in relation to the freedom of expression or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In the context of marketing, please note that we will maintain a suppression list if you have opted out from receiving marketing content to ensure that you do not receive any further communications.
You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where: the processing is based on your consent or the performance of a contract with you; and the processing is carried out by automated means.
You can object to any processing of your personal data which has our 'Legitimate Interests' as its legal basis (see Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our Legitimate Interests. Once you have objected, we have an opportunity to demonstrate that we have compelling Legitimate Interests which override your rights, however this does not apply as far as the objections refers to the use of personal data for direct marketing purposes.
To exercise your rights you can contact us as set out in Section 11. Please note the following if you do wish to exercise these rights:
- Identity. We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
- Fees. We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances.
- Timescales. We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
- Exemptions. Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
10. Contact and complaints
The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following way:
If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time. In the UK, the supervisory authority for data protection is the ICO (https://ico.org.uk/). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
APPENDIX 1 - LEGAL BASIS FOR PROCESSING
Type of information collected
The basis on which we use the information
Providing this site
· As explained in 2 above
· Legitimate interests (to provide a better experience and tailor that experience to you by understanding what browser you use and how you interact with our site)
APPENDIX 2 - GLOSSARY
Consumer: means an individual who will, who has, or who is purchasing tickets for an Attraction or using Merlin's websites, goods or services, or participating in a prize draw/competition or Merlin experience.
Data Controller: means a natural or legal person which determines the means and purposes of processing of personal data.
Data Subject: means an individual whom the personal data is about.
EEA: means the European Economic Area.
GDPR: means the General Data Protection Regulation, which comes into force on 25 May 2018 and replaces the previous Data Protection Directive 95/46/EC.
ICO: the Information Commissioner's Office regulates the processing of personal data by all organisations within the UK.
Legitimate Interests: this is a ground which can be used by organisations as a lawful basis of processing, for example where personal data is used in ways that could reasonably be expected, or there is a compelling reason for the processing.
Member States: means those countries which are part of the European Union.
Privacy Shield: means a framework which has been adopted to protect the rights of those individuals whose data has been transferred to the US.
Profiling: means to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an entertainment context, such as how likely you are to attend a certain event that we host.
Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.
What are cookies?
Cookies are small text files containing a string of characters that can be placed on your computer or mobile device that uniquely identify your browser or device.
What are cookies used for?
Cookies allow a site or services to know if your computer or device has visited that site or service before. Cookies can then be used to help understand how the site or service is being used, help you navigate between pages efficiently, help remember your preferences, and generally improve your browsing experience. Cookies can also help ensure marketing you see online is more relevant to you and your interests.
You can edit your browser options to block cookies in the future at any time. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our website who disable cookies will be able to browse certain areas of the website, but some features may not function. You can find out more about cookies at www.allaboutcookies.org and the site will give you guidance on how to control and delete unwanted cookies you have already accepted. You may also opt-out of certain third party cookies that we and other websites may use for targeted advertising through the European Interactive Digital Advertising Alliance (EDAA) Your Online Choices Page or http://www.aboutads.info
What Cookies do we use?
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
The following explains some of these and how they are used
You can manage your preferences and opt-out of Google's interest-based ads in your Google Ads Setting. In this case, the unique cookie ID of the DoubleClick-Cookie is overwritten and can't be associated with a particular browser. Please note that a new DoubleClick-Cookie might be placed if you delete all cookies from your device and you may have to renew your opt-out settings.
If you would like to permanently deactivate the DoubleClick-Cookie please download and install the browser-plugin which is available here.
You can find out more about Google’s position on privacy as regards its analytics service at http://www.google.com/intl/en_uk/analytics/privacyoverview.html
Hotjar is an analytics and feedback tool that we use to understand how our website is used and improve usability. Hotjar sets cookies to help us track behaviour across pages and to control visitor polls. The cookies carry no personally identifiable information.
Google AdWords (conversion): we use Google AdWords cookies to customize the advertising and content you see for our website, limit the number of ads you see for our website, and measure the effectiveness of our campaign
Google AdWords (remarketing): we use Google AdWords remarketing cookies to collect data about your activities when you visit our websites, the website of entities who serve our ads (advertisers), or the website and online services where we display ads
Facebook Pixel: we use Facebook pixel tracking to measure social media campaign efficiency related to the Facebook platform
Optimize utilizes Analytics cookies to target content variants to a user and a content experiment cookie to determine a user's participation in an experiment.