Preamble
This service (hereinafter referred to as "App") is made available by
LEGOLAND Deutschland Freizeitpark GmbH
LEGOLAND Allee 1
89312 Günzburg
Germany
e-mail: info@legoland.de
Legal representatives:
Manuela Stone, Timothy DeYoung, Matthew Jowett
(hereinafter referred to as "we" or "us") as the persons responsible in accordance with the applicable data protection law.
Within the App, we enable you to retrieve and display the following information:
- Interactive park map with route planner
- Waiting times for rides
- Information about ending and starting times of shows
- Information about attractions, rides, restaurants and shops
- Opening times of the park, attractions, rides, restaurants and shops
- General information about visitor services
- Information about special offers concerning catering and shops
As a result of using the App, personal data about you are processed by us. Personal data are to be understood as all information that relates to an identified or identifiable natural person. Because the protection of your privacy while using the App is important to us, we would like to inform you with the following information about what personal data we process when you use the App and how we treat these data. Moreover, we will inform you about the grounds under law for the processing of your data and, in as far as the processing is required for the maintenance of our lawful interests, about our legal interests.
You can display this privacy policy within the App by selecting the menu entry "Privacy policy & legal".
1. Information about the processing of your data
Certain information is processed automatically as soon as you use the App. What personal data in particular are processed, we have listed for you below:
1.1 Information that is collected when you download
When you download the App, certain necessary information is transferred to the app store that you chose to use (e.g. Google Play or Google App Store), in particular the username, e-mail address, the customer number of your account, the time of download, payment information and individual device code are processed. The processing of these data is done exclusively through the app store and is beyond our sphere of influence.
1.2 Information that is automatically collected
When you use the App, we automatically collect specific data that are required for the use of the App. These data include:
- Location, accuracy and date/time periodically throughout the day (only while at the attraction)
- Each visit to the resort including date/time first seen and last seen
- Operating system
- Operating system version
- Device name
- Battery level
- Battery status (charging or not)
- Bluetooth status (on or off)
- Mobile network carrier name
- Currently connected Wi-Fi SSID
- Location permission status (on or off)
- IP address
- User's preferred locale
- Current time zone
- App version and build number
- App interactions (captured as events fed to Firebase Analytics and Keen IO)
- Date/time entered/exited geofence region (if you enter an offered geofence region)
These data are automatically sent to us, (1) so that we can make the service and the associated functions available to you; (2) to improve the functions and features of the App and (3) to prevent misuse and to rectify malfunctions and (4) to offer you a personalized guest experience. This data processing is justified on the basis that (1) the processing is required in order to fulfil the requirements of the contract between you as the data subject and us in accordance with Art. 6(1)(b) GDPR for the use of the App, or (2) we have a legitimate interest in guaranteeing the functionality and fault-free operation of the App and being able to offer a service that is in line with the requirements of the market and with the interests of the users and prevails over your rights and interests in the protection of your personal data in accordance with Art. 6(1)(f) GDPR.
1.3 Information that is collected when you login
When you login using a form or a Facebook account to receive further information and offers from the Merlin group of companies in future by e-mail and SMS, we use your login data, such as your name, e-mail address, postcode, Facebook ID (when logging in through a Facebook account), date and time of registration, in order to supply you with information and offers that you have requested from us or could be of interest to you, in as far as you have given your consent to us contacting you for this purpose. Your Login data such as your name and e-mail address are retained as long as you are registered to receive information and offers via e-mail address and SMS. Did you login only for receiving personalized information and offers in the context of the use of the app we retain your login data such as your name and e-mail address for a period of 24 month after the last time you used the app.
1.4 Use of the App
Within the App, you can enter, manage and process a wide range of information, tasks and activities. In particular, this information includes data about the use of
- Interactive park map with route planner
- Display of waiting times at rides
- Information about ending and starting times of shows
- Information about attractions, rides, restaurants and shops
- Display of the opening times of the park, attractions, rides, restaurants
and shops
- General information about visitor services
- Information about special offers concerning catering and shops
The processing and use of usage data is performed to make the service available. This data processing is justified on the basis that the processing is required for the fulfilment of the contract to use the App between you as the data subject and us in accordance with Art. 6(1)(b) GDPR.
1.5. Use of Google Firebase
This App uses Google Firebase which uses the data to provide analytics and attribution information and for bugfixing. The reader data contain no personal data, only system information such as App version and build number, operation system, system utilization, etc.
1.6. Use of Google Analytics
This App uses functionalities of the webanalysis service Google Analytics. Supplier is Google Inc, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA; "Google"). This allows data, sessions and interactions through numerous different devices to be assigned to a pseudonym user ID and therefore the activities of the user can be analysed over numerous devices. In accordance with the agreement between Google and the Hamburg Commissioner for Data Protection and Freedom of Information, under certain conditions it is possible to use Google Analytics in compliance with privacy requirements in a way that raises no objections.
Please note the following information about the use of Google Analytics:
Google Analytics uses so-called "cookies", text files that are stored on your computer and allow an analysis of your use of the website. The information generated by the cookie about your use of this website is normally transferred to a server by Google in the USA and is stored there. However, through activation of IP anonymisation on this website, your IP address will be truncated by Google within the area of the Member States of the European Union or within other states that are party to the Agreement on the European Economic Area. Only in exceptional cases will the whole IP address be first transferred to a Google server in the USA and then truncated there. The IP address that your browser conveys within the scope of Google Analytics will not be associated with any other data held by Google. Google will use this information on behalf of the operator of this website for the purposes of evaluating your use of the website, compiling reports on websiteactivities for website operators and providing them with other services relating to website and internet usage. Our legitimate interest also lies in data processing for these purposes. The legal basis for the use of Google Analytics is § 15(3) of the German Teleservices Act (TMG) and Art. 6(1)(f ) GDPR. The data sent by us and linked to cookies, user identification (e.g. User ID) or advertising IDs are automatically deleted after 38 months. The deletion of data that has reached the end of its retention period is done automatically once a month. For more detailed information about conditions of use and data protection, please visit https://www.google.com/analytics/terms/de.htm / or https://policies.google.com/?hl=de
You may refuse the storage of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this App. You can also prevent the collection of data generated by the cookie and through your use of the App (including your IP address) at Google and the processing of this data by Google by downloading and installing Browser Add-on. Opt-out cookies prevent the future collection of your data on using this App. To prevent the collection by Universal Analytics through numerous different devices, you must implement the opt-out on all the systems used.
If you do not want to receive personalized advertising you may deactivate it by using the following link of Google Anzeigeneinstellung
Provider name: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Legal basis for processing: Legitimate interest
Guarantees in accordance with Art. 44ff DS-GVO: Privacy Shield certification (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active)
2. Passing on and transfer of data
Passing on your personal data without your express prior consent is done other than in the cases explicitly identified in this privacy policy only if it is legally permitted or required. This can, for example, be the case if processing is required to protect the vital interests of the user or another natural person.
2.1 The data entered by you at the time of login are passed on within our company group Merlin Entertainments Limited for internal administration purposes, including general customer service to the extent required.
Any passing on of personal data is justified on the basis that we have a legitimate interest in passing on the data for administrative purposes within our company group and your rights and interests in the protection of your personal data in the context of Art. 6(1)(f) GDPR do not prevail.
2.2 If it is required to investigate illegal use or misuse of the App or for legal proceedings, personal data are passed on to the prosecuting authorities or other authorities or, if applicable, to affected third parties or legal advisers. However, this happens only if there are indications of behaviour suggesting illegal use or misuse. Passing on of data can also take place if this serves to implement the conditions of use or other legal requirements. We are also legally obliged to provide information on the request of certain public bodies. These public bodies are law enforcement authorities, authorities that have the power to impose fines for infringements of the law and the tax authorities.
Passing on of personal data is justified on the basis that (1) the processing is required to fulfil a legal obligation that we are subject to in accordance with Art. 6(1)(f) GDPR in connection with national legal requirements to pass on data to law enforcement authorities, or (2) we have a legitimate interest in passing on the data in the case of finding indications of behaviour suggesting misuse or to implement our conditions of use, other conditions or legal claims to the named third parties and your rights and interests in the protection of your personal data in the context of Art. 6(1)(f) GDPR do not prevail.
2.3. We rely on the contractually committed companies of the Merlin company group and the following third-party companies and external service providers for the provision of our service: Experian, Attractions.io, Google, Facebook, Keen IO, Google Maps, Amazon AWS, Sentry, VictorOps
Passing on of personal data is justified on the basis that (1) we have a legitimate interest in passing on the data for administrative purposes within our company group and your rights and interests in the protection of your personal data in the context of Art. 6(1)(f) GDPR do not prevail and (2) we carefully select, regularly check and have contractually obliged our third-party companies and external service providers in the context of Art. 28(1) GDPR as commissioned processors to process all personal data exclusively in accordance with our instructions.
2.4 In the course of the further development of our business, it may be that the structure of our company changes. This may be a change in its legal form, or subsidiary companies, parts of the company or existing parts may be founded, purchased or sold. In the event of such transactions, customer information is passed on if applicable with the transferred part of the company. With each passing on of personal data to third parties in the stipulated scope, we take care that this is done in accordance with this privacy policy and the applicable data protection legislation.
Any passing on of personal data is justified on the basis that we have a legitimate interest in modifying our company's legal form to commercial and legal circumstances appropriate to need and your rights and interests in the protection of your personal data in the context of Art. 6(1)(f) GDPR do not prevail.
3. Data transfers in third countries
We process data in states outside the European Economic Area ("EEA"). In particular this includes:
Google (USA), Facebook (USA), Keen IO (USA), Google Maps (USA), Amazon AWS (USA), Sentry (USA)
In the case of the USA, the European Commission in its resolution dated 12.7.2016 made the decision that an appropriate level of data protection exists under the rules of the EU-US Privacy Shield (Adequacy decision, Art. 45 GDPR). In the case of Google (USA), Facebook (USA), Keen IO (USA), Google Maps (USA), Amazon AWS (USA), Sentry (USA) this is done by companies certified in accordance with the EU-US Privacy Shield.
4. Changes of purpose
Processing of your personal data for purposes other than the described purposes takes place only if a legal provision allows this or you have consented to the changed purpose of the data processing. In the case of further processing for other purposes than that for which the data was originally collected, we inform you before the further processing takes place about these other purposes and make all further information relevant to this available to you.
5. Period of data storage
We delete or anonymise your personal data as soon as they are no longer required for the purpose for which they were collected or used in accordance with the previous clauses. As a rule, we store your personal data for the period of use or the contractual relationship of the App plus a period of 60 days during which we keep backup copies after deletion, in as far as these data are no longer needed for criminal proceedings or for the safeguarding, assertion or enforcement of legal claims.
Specific information in this privacy policy or legal requirements for retention and deletion of personal data, in particular such data that we must keep for tax purposes, remains unaffected by this provision.
6. Your rights as the data subject
6.1 Right of access to information
You have the right upon request at any time to be informed about the personal data relating to you and processed by us to the scope defined in Art. 15 GDPR. You can submit your request by post or by e-mail to the address given below.
6.2 Right to correct incorrect data
You have the right to demand that we immediately correct personal data relating to you in as far as these data are incorrect. Please use the contact addresses given below for this purpose.
6.3 Right to deletion
You have the right under the conditions set out in Art. 17 GDPR to demand that we delete the personal data relating to you. These provisions in particular provide a right to deletion if the personal data are no longer required for the purpose for which they were collected or processed in some other way and in cases of processing not in accordance with the law, in cases of an objection having been submitted or in cases where there is an obligation to delete in accordance with European Union legislation or the law of the member state to which we are subject. The period of data storage is normally defined in clause 5 of this privacy policy. In order to assert your right to deletion, please use the contact addresses given below.
6.4 Right to restrict processing
You have the right to demand that we restrict processing in accordance with the provisions of Art. 18 GDPR. This right exists in particular if the correctness of the personal data is disputed between the user and us and for the period required for checking the correctness and in the case that the user demands a restriction of processing instead of deletion where there is an existing right to deletion; and furthermore for the case that the data are no longer required for the purpose pursued by us, but the user needs them for asserting, exercising or defending legal claims and in cases where the successful exercise of an objection between us and the user is still disputed. In order to assert your right to restriction of processing please use the contact addresses given below.
6.5 Right to data transferability
You have the right to obtain from us the personal data relating to you that you have made available to us. We must provide you with the data in a structured, commonly used, machine-readable format in accordance with the provisions of Art. 20 GDPR. In order to assert your right to data transferability, please use the contact addresses given below.
7. Right to object
You have the right to submit an objection in accordance with Art. 21 GDPR at any time against the processing of personal data relating to you that is performed inter alia on the basis of Art. 6(1)(e) or (f) GDPR. We will cease the processing of your personal data unless we can substantiate compelling and worthwhile grounds for the protection of the processing that prevail over your interests, rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims.
8. Right of complaint
You also have the right to complain to the responsible supervisory authority. The responsible supervisory authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27
91522 Ansbach
Tel.: +49 (0) 981 53 1300
Fax: +49 (0) 981 53 98 1300
e-mail: poststelle@lda.bayern.de
9. Contact
The contact details for our data protection officer are as follows:
LEGOLAND Deutschland Freizeitpark GmbH
Data Protection Officer
LEGOLAND Allee 1
89312 Günzburg
Germany
e-mail: datenschutz@legoland.de
10. Changes to this privacy policy
This privacy policy is always kept up to date. Therefore, we reserve the right to modify it from time to time and implement changes in the collection, processing and use of your data. The current version of the privacy policy can always be found at "Privacy policy & legal" within the App.
Date: 26.02.2024