Prohlášení o ochraně dat

Data protection information

Welcome to the overview page on data protection at LEGOLAND® Deutschland Freizeitpark GmbH and at LEGOLAND® Holidays Deutschland GmbH, companies of the Merlin Group.

At Merlin ("we", "us", "our"), we regularly collect and use personal data about customers who visit our attractions or hotels or visit our websites, as described in the privacy notices published on all our attraction websites. Personal data is any information that can be used to identify you as an individual. The protection of your personal data is very important to us and we recognise our responsibility to handle your personal data with care, keep it secure and comply with legal requirements.

The purpose of this Privacy Policy (also the "Policy") is to clearly explain when, why and how we collect and use personal data.

Please read this privacy notice carefully, it contains important information about how we use your personal data and explains your legal rights.  The notice has been designed to be as user friendly as possible, there are headings to each section to make it easier for you to find the information relevant to you.

This Privacy Policy is not intended to change the terms of any existing contracts with us (e.g. Wi-Fi policy or annual pass terms) or to limit your rights under applicable data protection laws.

We may amend this privacy policy from time to time to reflect changes in the law or policy, please check this policy regularly to keep up to date.

We will make changes to this policy from time to time to reflect changes in the law or our business policies. We recommend that you consult this policy regularly.

Privacy policy for the main website of LEGOLAND Deutschland (legoland.de)

Privacy policy for the LEGOLAND Deutschland app

 

Privacy policy for legoland.de

Contents

1. Who is responsible for data processing?
2. Data protection team and data protection officer
3. General information on data processing
4. Data transmission to third parties
5. Third country transfer
6. Deletion of data and storage period
7. Existence of automated decision-making, profiling
8. Hosting
9. Provision of the website
10. Contact by e-mail or via contact form
11. Direct marketing; newsletter
12. Cookies & similar technologies
13. What are YOUR RIGHTS?
APPENDIX 1 - LEGAL BASIS FOR PROCESSING
APPENDIX 2 - GLOSSARY

1. Who is responsible for data processing?

Responsible for data processing via the legoland.de website is:

LEGOLAND® Deutschland Freizeitpark GmbH LEGOLABD Allee 1, 89312 Günzburg

Phone: 08221 257 355 0

E-mail: info@legoland.de 

LEGOLAND® Deutschland Freizeitpark GmbH and LEGOLAND® Holidays Deutschland GmbH are part of the Merlin Group. Merlin Entertainments plc ("Merlin") is an entertainment company headquartered in the United Kingdom, whose address is Link House, 25 West Street, Poole, BH15 1LD and which operates over 100 attractions and 20 hotels and holiday villages in 25 countries ("Merlin Group"). If you visit other Merlin Group websites, other data may be collected and other companies may be responsible under data protection law.

There is a central contact person for all data controllers within the Merlin Group, whose contact details are given in section 2.

 

2. Data protection team and data protection officer

The primary point of contact for all questions related to this policy and requests to exercise your data subject rights is the Merlin Data Protection Team:

Data.protection@merlinentertainments.biz 

You can contact the external data protection officer of LEGOLAND® Deutschland Freizeitpark GmbH directly at the following address:

Personal / Confidential
Lisa Rehkugler
c/o intersoft consulting services AG
Rotebühlplatz 9
70178 Stuttgart

E-mail: lrehkugler@intersoft-consulting.de

 

3. General information on data processing

3.1 WHEN do we collect personal data?

In principle, we only process your personal data insofar as this is necessary to provide our online offers, content and services.

We collect personal information when you visit the website of one of our attractions, when you sign up for a newsletter there, when you use one of our apps, when you purchase an admission ticket or an annual pass, when you make a booking by phone, when you log into the Wi-Fi of one of our attractions, when you visit our shop and make a purchase there, when you book a stay in one of our hotels, when you take part in a survey or a competition or contact us with questions and suggestions, etc.

In particular, we would like to draw your attention to the following data collections:

• When you visit our ticket shop, we collect personal data in order to be able to offer you the ticket service, to make your purchase as pleasant as possible, to suggest interesting products to you, to better understand user behaviour, to improve our offer and for security reasons.
• With your consent, we record telephone calls in order to record your consent to the sending of advertising material (if necessary, see section 6 for further information).
• When you use our app, we collect personal data so that we can provide you with the app service and the associated functions, to improve the functions and features of the app, to prevent misuse and rectify faults and to offer you a personalised visitor experience. If someone has registered for a family annual pass or taken part in a competition on your behalf, the information about you will in this case be passed on to us via the respective family member or the respective third party.
• We never knowingly collect personal data from children for marketing purposes without making it clear that this information may only be provided with parental consent where required by applicable law. Merlin therefore only uses children's data to the extent permitted by law and only if the parents or legal guardians have given their consent.

3.2 WHAT personal data do we collect?

We may collect the following data from potential, former and current customers and visitors to our attractions and this website ("customers"):

• Personal master data: Name, address, date of birth, telephone number, e-mail address (as part of the ticket purchase or dispatch)
• Weblogs and usage data: technical information about visits to our website (IP address, URL of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, device data such as browser type and version, language setting, screen resolution, the user's operating system, referrer URL (=the previously visited page), the requesting provider), website history, frequency of visits, user behaviour on the website.
  We use cookies: For more information about cookies, please refer to our consent management (see section 8.4 below) and our cookie policy.
• Your marketing preferences including interests, entries in marketing lists, authorisations for and objections to advertising measures, website data, online identifiers such as advertising IDs. For more information on this, please also refer to our separate cookie policy.
• Information in form fields: Information that you provide by filling in forms on our website. This includes information provided when you register on our website, subscribe to our services, send us materials or request further services. We also ask for information if you wish to report a problem with our website.
• Content of contact requests: If you contact us about a problem or concern, we record the content of the respective contact in order to be able to process your request.
• Data from surveys: Information that you provide in a voluntary survey regarding services received or your visit experience at an attraction.
• Transaction data: Information about transactions you carry out via our website or bookings you make, including credit or debit card details.
• Booking details: Your name, address, telephone number and e-mail address, your customer number in order to send you booking confirmations or, if necessary, to inform you that we need to contact you urgently about your booking.
• Purchase and visit history: your name, your customer number, your purchases, your visit data

 

4. Data transmission to third parties

Your data will only be transferred to third parties if this is necessary to fulfil the contractual relationship with you or for administrative purposes of LEGOLAND® Deutschland Freizeitpark GmbH, LEGOLAND Allee 1, 89312 Günzburg, Germany, as part of the Merlin Group, or if you have previously expressly consented to the transfer of your data.

If personal data is transferred or access to such data is granted within the Merlin Group for internal administrative purposes, the transfer of the data is based on our legitimate business and commercial interests, Art. 6 para. 1 sentence 1 lit. f GDPR.

We also share the data with third parties to enable the administration of our business and the provision of services. These third parties may need to access your personal data from time to time. Where our service providers come into contact with your personal data, we require them to treat personal data confidentially and only for the agreed purpose and to comply with the provisions of data protection laws in the same way. Please note the respective data protection notices of the providers. The respective service provider is responsible for the content of external services.

These include:

• Service providers who maintain our IT and background systems and support our customer relationship management activities, in particular Group M, Meta Platforms, Inc., Pinterest Europe Ltd., Salesforce, Inc., Google Ireland Limited, Zendesk, Inc., NICE Ltd., Attraction Technology Ltd, accesso Technology Group, plc., Playable ApS, Avius Ltd., HighLight Production GmbH, Oracel B.V, Microsoft Ltd, WINGIFY Software Private LTD, PayPal (Europe) S.à r.l. et Cie, S.C.A., Klarna Bank AB (publ), Merkle, Tripicchio AG, Gateway Ticketing Systems, Inc., Oracle, Insoco GmbH, HH Global, Avius Insight, Survey Monkey, BidSwitch, Media Innovation Group, The Reach Group, Amobee, IntelliAd Media, Kupona, Ligatus, Cludo, AppNexus, Adloox, Ad Police, Umbraco, Wavemaker, ISO Travel Solution, VWO, OneTrust LLC, Quantum Metric, Salesforce Marketing Cloud, MPhasis, Semrush, Attractions.io, Logisitc-Mail-Factory GmbH, Cyberday GmbH, Sparkasse Günzburg-Krumbach, HypoVereinsbank, American Express International, Inc., TeleCash GmbH & Co. KG, DataCash Group, Concardis GmbH, Klarna GmbH, PayPal (Europe) S.à rl et Cie, SCA, Volksbank Offenburg eG, GiroSolution AG.
• Supervisory authorities, including the German data protection supervisory authorities and other supervisory and law enforcement authorities in EU countries and worldwide.
• Legal and other service providers (including our auditors). We would also have to pass on your personal data to the buyer in the event of a sale of parts of our company.

We would also have to pass on your personal data to the buyer in the event of a sale of parts of our company.

 

5. Third country transfer

When selecting our service providers and partners, we emphasise that data processing should preferably take place in the EU. However, this is not possible in all cases.

Some of our service providers are based outside the EU/EEA. In the absence of an adequacy decision by the EU Commission, such countries are considered "unsafe third countries" from a European perspective in terms of data protection law. This means that the same level of data protection does not prevail there as is guaranteed within the EU/EEA. Certain rights are not available to you there or cannot be fully guaranteed. When personal data is transferred to insecure third countries, it cannot be ruled out in some cases that government institutions may have access to this data without you having effective legal remedies against such access.

If and insofar as data is transferred to third countries, we therefore ensure that an appropriate level of data protection is guaranteed at the recipient before your personal data is transferred.

In this privacy policy, we inform you when and how we transfer personal data to the USA or other unsafe third countries. A third country transfer only takes place if

• the recipient provides sufficient guarantees in accordance with Art. 46 GDPR for the protection of personal data,
• you have expressly consented to the transfer, after we have informed you of the risks, in accordance with Art. 49 para. 1 lit. a GDPR,
• the transfer is necessary for the fulfilment of contractual obligations between you and us,
• or other appropriate safeguards pursuant to Art. 49 GDPR apply.

Guarantees within the meaning of Art. 46 GDPR can be standard contractual clauses of the EU Commission. The recipient guarantees to adequately protect personal data and to ensure a level of data protection comparable to the GDPR, including by implementing additional technical and organisational measures.

 

6. Deletion of data and storage period

In principle, we only store your personal data for as long as the purpose of the storage requires. After that, the data will either be deleted or - if statutory retention periods to which we are subject or overriding legitimate interests prevent deletion - the data will be blocked for other use. This applies, for example, to data that must be stored for commercial or tax law reasons, such as invoice data or other document data.

 

7. Existence of automated decision-making, profiling

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR, but we do use profiling through automated processes to tailor advertising measures to a specific customer.

If you are a customer who has signed up to receive marketing updates, we may use profiling to tailor marketing materials to your interests and to content that we think may be of interest to you. In certain circumstances, profiling may allow certain inferences to be drawn about you that may fall within the special categories of your personal data. However, we will only do this if we have obtained your express consent to do so, see section 7 et seq. below.

 

8. Hosting

This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster's servers.

Nature and purpose of processing
This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.

Legal basis
The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR).

If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device within the meaning of the TTDSG.

Order processing
We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract prescribed by data protection law, which ensures that the provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

Our hoster will only process your data to the extent necessary to fulfil its performance obligations and follow our instructions with regard to this data.

We use the following hoster:

• Microsoft Azure

Storage duration
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

Right of cancellation or objection
Once consent has been given, it can be revoked at any time with effect for the future. The legality of the data processing until the revocation remains unaffected.

If you object to data processing that is based on our legitimate interest, we will weigh up the conflicting interests. If your rights and freedoms outweigh our legitimate interest in data processing, we will cease data processing.

 

9. Provision of the website

If you only use the website for information purposes, i.e. if you do not register or otherwise provide us with information (e.g. via the contact form), we only collect the personal data that your browser transmits to our server.

Nature and purpose of processing
When you visit our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure its stability and security:

• IP address
• Date and time of the enquiry
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• Website from which the request comes
• Browser
• Operating system and its interface
• Language and version of the browser software

The purpose of collecting log files is to record blocked or abusive website access and to ensure the security and stability of our website. We regularly do not know who is behind an IP address. We do not merge the data listed above with other data.

Legal basis
The legal basis is our legitimate interest, Art. 6 para. 1 sentence 1 lit. f GDPR. The aforementioned purposes also constitute the legitimate interest in data processing within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR.

Storage duration
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. This is usually the case after one month at the latest.

Possibility of cancellation or objection
The collection of this data is technically necessary in order to display our website to you and to ensure its stability and security. Since the collection of data for the provision of the website and storage in log files is absolutely necessary for the operation of the website and to protect against misuse, our legitimate interest in data processing prevails at this point.

 

10. Contact by e-mail or via contact form

Nature and purposes of processing
We collect personal data when you provide it to us of your own accord, for example when you contact us. The personal data transmitted to us in this way will of course be used exclusively for the purpose for which you provide it to us when you contact us.

This information is provided on a voluntary basis and in these cases is initiated by you. If this involves information on communication channels (e.g. e-mail address, telephone number), we will use these channels to contact you in accordance with your request.

The purpose of processing your data is to process and respond to your request.

Legal basis
The legal basis for the processing of the data that you transmit to us in the course of contacting us is Art. 6 para. 1 sentence 1 lit. f GDPR. The legitimate interest in the processing also lies in the purposes described above.

Storage duration
We will delete your data that we have received in the course of contacting you as soon as it is no longer required to fulfil the purpose for which it was collected, i.e. your request has been fully processed and no further communication with you is required or desired by you.

Possibility of cancellation or objection
You can contact Data.Protection@merlinentertainments.biz at any time to have the data relating to your enquiry deleted. However, we may then not be able to fully process your request.

 

11. Direct marketing; newsletter

11.1 Direct marketing by post, e-mail, telephone

We would like to be able to contact or remain in contact with our customers. For this reason, we use postal mailings, e-mail and possibly your telephone number to address you as a customer.

Until you object, direct marketing by post is carried out on the basis of our legitimate interest in advertising and publicising our products and services, Art. 6 para. 1 sentence 1 lit. f GDPR. You have the right to object to this use of your data. We will then no longer send you any advertising mailings in future. To object, simply send an informal email to Data.Protection@merlinentertainments.biz or an informal letter to the address stated in section 1.

Pursuant to Section 7 (3) UWG, it is permitted to advertise our own goods or services by email within the scope of existing customer relationships without the consent of the data subject being required. This presupposes that we have received your e-mail address in connection with the sale of a product or service, that we advertise our own similar goods or services, that you as the data subject have not previously objected to receiving advertising and that you are informed when the e-mail address is collected and each time it is used that you can object to this use of your e-mail address at any time without incurring any costs other than the transmission costs according to the basic rates. You will therefore find an "unsubscribe link" in each of our emails to you, which you can use to object to receiving such advertising, and a reference to this privacy policy.

We will only contact you by telephone for direct marketing purposes subject to your express consent.

11.2 Newsletter

11.2.1 Newsletter subscription

You can subscribe to various newsletters on our websites with which we inform you about the activities of our company, current information about our services, special offers, promotions and events. The content of the individual newsletters is briefly described during the registration process.

The legal basis for sending the respective newsletter is your consent, Art. 6 para. 1 sentence 1 lit. a GDPR or without your express consent only if all requirements of the legal permission according to § 7 para. 3 UWG are met.

We use the so-called double opt-in procedure to subscribe to our newsletters. This means that after you have registered, we will send you an e-mail to the e-mail address you have provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration, your information will be automatically deleted after 4 days. Data of persons who unsubscribe will be completely deleted after 30 days.

The only mandatory information for sending the newsletter is your e-mail address. The provision of further data is voluntary: this data is used to address you personally.

After your confirmation, we store your e-mail address for the purpose of sending you the newsletter until cancellation. We also store your current IP address at the time of registration, the time of registration (timestamp) and the confirmation for up to three years after registration (limitation period). The purpose of this procedure is to be able to prove your registration in case of doubt and, if necessary, to clarify any misuse of your personal data.

The legal basis for the logging of the registration is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in the proof of a given consent, see also Art. 7 para. 1 GDPR.

11.2.2 Shipping service provider

The newsletter is sent via our service provider Salesforce.

To ensure the level of data protection, there is an order processing contract with the shipping service provider in accordance with Art. 28 para. 3 sentence 1 GDPR.

For the purpose of optimising its own services, e.g. for the technical organisation of dispatch and to optimise the presentation or for statistical purposes, the dispatch service provider may use the data of data subjects exclusively in pseudonymous form, i.e. no allocation to a user takes place within the scope of this processing. Under no circumstances will the mailing service provider use the data to write to you itself. Your personal data will not be passed on to third parties by the mailing service provider.

The legal basis for the data processing described is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 f GDPR in the optimisation of our business processes and the promotion of our business purposes.

11.2.3 Newsletter tracking

We would like to point out that your user behaviour is evaluated when the newsletter is sent. The e-mails in question contain so-called web beacons or counting pixels, which are retrieved from our server or the server of our service provider when the newsletter is opened.

For the analyses, we link the web beacons with the email address and an individual ID. Links received in the newsletter also contain this ID. We use the data obtained in this way to create target group-specific user profiles in order to tailor the newsletter to your respective interests. In doing so, we record when our newsletters are read and which links are clicked on and deduce your personal interests from this.

Our service provider enables us to categorise newsletter recipients according to various categories (so-called tagging). The newsletter recipients can be categorised, for example, by gender, personal preferences or customer relationship (e.g. customer or potential customer). In this way, the newsletters can be better customised to the respective target groups.

The legal basis for newsletter measurement and analysis is our legitimate interest in measuring the reach and success of our newsletter.

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from our servers as well as from the servers of our service provider after you unsubscribe from the newsletter.

11.2.4 Possibility of objection/revocation

You can revoke your consent to the sending of the newsletter at any time. You can declare your cancellation by clicking on the link provided in every newsletter e-mail, by sending an e-mail to insert address or by sending a message to Data.Protection@merlinentertainments.biz.

If you do not wish the newsletter to be analysed as described under 7.2.3, you must unsubscribe from the newsletter in question. For this purpose, we provide a corresponding link in every newsletter message. The tracking described is also not possible if you have deactivated the display of images in your e-mail programme by default. In this case, the newsletter will not be displayed in full and you may not be able to use all the functions. If you display the images manually, the above-mentioned tracking will take place.

 

12. Cookies & similar technologies

Cookies are stored on your computer when you use our website. Cookies are small data records that are stored in the browser on the end device when visiting websites (and when using apps) and can be read out again by the end device. Any information can be stored in cookies and they can serve various purposes. Some cookies are necessary to display websites correctly, other cookies serve the purpose of recognising users and collecting further information about them. They also serve to make the website more user-friendly and effective overall.

This website uses the following types of cookies, the scope and function of which are explained below:

12.1 Transient cookies

These cookies are automatically deleted when you close the browser. These include session cookies in particular. These store a so-called session ID, with which various requests from your browser can be assigned to the joint session. This allows your computer to be recognised when you return to our website. The session cookies are deleted when you log out or close the browser.

12.2 Persistent cookies

These cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can delete the cookies in the security settings of your browser at any time.

12.3 Similar technologies: Web Beacons & Scripts

Websites, emails and mobile applications may contain small, transparent image files or lines of code to enable us to understand how you interact with them. We use this information to make our website and newsletter more user-friendly and personalised.

12.4 Consent management and prevention of cookies & similar technologies

We use the consent management tool OneTrust. The provider is OneTrust Technology Limited, 82 St John St, Farringdon, London EC1M 4JN, United Kingdom (UK).

Nature and purpose of data processing
OneTrust is a consent management tool that enables us to ask users for their consent to the use of tracking and analysis tools and thus comply with the requirements of the GDPR. Each user can thus make their own decision regarding the processing of their usage data on our website.

OneTrust sets two technically necessary cookies to save your cookie consent. If a user consents to the use of cookies, the following data is automatically logged:

• IP address of the user at the time of consent
• Date and time of consent
• User agent of the end user's browser
• the URL of the provider
• the cookies authorised by the user (cookie status; serves as proof of consent)
• an anonymous, random and encrypted key

One Trust takes various appropriate technical, organisational and administrative security measures to protect all personal data stored by us against loss, misuse, unauthorised access, disclosure, alteration and destruction.

OneTrust is ISO/IEC 27001:2013, ISO/IEC 27701:2019 and SOC 2 Type 2 certified, among others. You can find OneTrust's current certifications and security reports at: https://www.onetrust.com/de/privacy/

Storage duration
The encrypted key and the cookie status are stored on the user's end device using a cookie in order to establish the corresponding cookie status on future page views. This cookie is automatically deleted after 12 months. 

Receiver
OneTrust Technology Limited, 82 St John St, Farringdon, London EC1M 4JN, United Kingdom (UK)

Legal basis
The legal basis for the storage of the OneTrust Consent cookie is Art. 6 para. 1 lit. c GDPR, we thus fulfil the legal requirements of Art. 5 GDPR. If a corresponding consent for a cookie or similar technology has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device within the meaning of the TTDSG.

Cancellation/objection
The cookies set by OneTrust are necessary for the fulfilment of our legal obligations. There is no right of cancellation or objection in this respect. You can set your browser so that these cookies are blocked or you are notified about these cookies. However, some areas of the website will then not work.

12.5 Legal basis and storage duration for cookies and similar technologies

The legal bases for possible processing of personal data using cookies, web beacons and scripts and their storage duration vary and are presented in the following sections. Insofar as we obtain consent for the use of analysis and tracking technologies, this also constitutes consent in accordance with Art. 6 GDPR and Section 25 TTDSG.

12.6 Possibility of objection or cancellation

Once you have given your consent to the use of cookies or other tracking tools, you can revoke it at any time with effect for the future. You can also object to their use if the legal basis for their use is our legitimate interest. For both, please use our Consent Tool, where you can change your selection at any time.

You can also object to the use of cookies there, which we use on the basis of our legitimate interest, unless they are technically absolutely necessary for our offer.

If you wish to revoke all consents, simply delete the cookie in your browser. When you re-enter/reload the website, you will be asked for your cookie consent again.

You can also configure your browser according to your wishes and, for example, refuse to accept third-party cookies or all cookies. We would like to point out that you may then not be able to use all the functions of this website.

Further information on the cookies used can be found in our cookie statement.

 

13. What are YOUR RIGHTS?

You have the following rights in connection with the processing of your personal data: You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, we will be happy to provide you with information about this personal data and the information listed in Art. 15 GDPR. In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR) and the right to data portability (Art. 20 GDPR) under the respective legal requirements.

You have the right to object to the processing under the legal requirements (Art. 21 GDPR).

Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority at any time, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes data protection regulations (Art. 77 GDPR).

In the following, we briefly explain the scope of the individual rights:

Law	What does that mean?
Information	You can demand from us, to inform you whether we process your personal data; if so, to tell you what personal data we process from you and for what purpose, with whom we share this data and whether we transfer it abroad and how we protect it, how long we keep it, the origin of the data if we have not collected it directly from you, what rights you have, how you can lodge a complaint and whether we carry out automated decision-making or profiling - unless you have already been provided with this information; to give you a copy of this data
Correction	You can ask us to correct inaccurate personal data concerning your person.
Cancellation / Right to be forgotten	You can ask us to delete your personal data, but only if they are no longer needed for the purposes for which they were collected; or you have withdrawn your consent (if the processing was based on your consent); or the erasure of your data is the result of an objection exercised by you (see 'Objection'); or the data was collected unlawfully; or the deletion arises from a legal obligation to which Merlin is subject. We are not obliged to comply with your request to delete your personal data if it is necessary for the following purposes: Compliance with legal obligations, the establishment, exercise and defence of legal claims. PLEASE NOTE that we maintain a blacklist on which you will be placed if you exercise your right to object to marketing to ensure that no further marketing communications are sent to you. Further restrictions on our erasure obligation may arise in individual cases from Article 17 (3) GDPR and Section 35 of the Federal Data Protection Act (BDGS).
Restriction of processing	You can ask us to restrict the processing of your personal data, i.e. to retain it but not to process it or not to process it for specific purposes, but only if whose accuracy has been disputed (see 'Correction') to allow us to verify its accuracy; or the processing of which is unlawful, but you do not want it erased; or they are no longer needed for the purposes for which they were collected, but they are still needed for the establishment, exercise or defence of legal claims; or you have exercised your right to object and a review of the grounds for cancellation is still pending. We will continue to use your personal data even after a restriction request if we have obtained your consent to do so; or this is necessary for the establishment, exercise or defence of legal claims; or to protect the rights of other natural or legal persons.
Transferability	You can ask us to provide your data in a structured, commonly used and machine-readable format or ask us to transmit it directly to another data controller, but only if the processing is based on your consent or a contract with you or if the processing is carried out using automated procedures.
Complaint	You have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

 

Right of objection

You may object to any processing of your personal data that we carry out on the basis of our legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) (see Appendix 2 for more information) and you believe that your fundamental rights and freedoms take precedence over our legitimate interests. In the event of your objection, we may demonstrate how our legitimate interests override your rights, but this does not apply if the objection concerns the use of personal data for advertising purposes.

To exercise your rights, you can contact us using the details listed in section 11. Please note the following:

Proof of identity. If there is any doubt about your identity when you make an enquiry, we are obliged to request proof of identity.

Deadlines. We endeavour to respond to all legitimate requests within one month. If an enquiry is particularly complicated or if you have made several enquiries, it may be necessary to extend this period to three months. We will let you know within the one-month period if it will take more than one month to process your enquiry. In cases of doubt, we will ask you to explain your request in more detail. This will help us to process your enquiry more quickly.

Exceptions. National laws may contain further exceptions to the right of access. For example, under UK law, you may not be granted access under certain circumstances because the data in question is subject to a duty of confidentiality. Under German law (pursuant to Section 34 of the Federal Data Protection Act), the right to information does not apply in particular if the data is only stored in order to fulfil legal or statutory retention obligations or exclusively for the purposes of data security and data protection control and the provision of information would require a disproportionate effort and processing for other purposes is excluded by suitable technical and organisational measures.

 

APPENDIX 1 - LEGAL BASIS FOR PROCESSING

APPENDIX 2 - GLOSSARY

Customer: means a person who buys, has bought or will buy tickets for an attraction, uses Merlin's website, goods and services or takes part in a Merlin competition or event.

Controller: means a natural or legal person who determines the means and purposes of data processing.

Data subject: means a person whose personal data is affected.

EEA: refers to the European Economic Area.

GDPR: refers to the EU's General Data Protection Regulation, which comes into force on 25 May 2018 and replaces the previous Data Protection Directive 95/46/EC.

Legitimate interests: refer to reasons that organisations can provide as a lawful basis for their actions, for example, where personal data is used in a way that can reasonably be expected or there is a compelling reason for the processing.

Member States: refers to countries that are members of the European Union.

Profiling: means the analysis of your personal data for the purpose of evaluating your behaviour or predicting certain things about you that may be relevant to you in an entertainment context, for example how likely you are to attend a particular event of ours.

Special categories of personal data: means personal data relating to health, genetic and biometric data, criminal record, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.

Service providers: refers to third parties to whom we entrust some functions of our business. For example, we engage service providers to provide and maintain our cloud-based IT applications and systems, which means that your personal data is stored on their servers but under our control and management. We require all our service providers to maintain confidentiality about this personal data and its security.

Updated: July 22nd, 2024

---

You can find information about the cookies we use in our cookie statement.