...before everyone else.
OVERVIEW of this Policy and Commitments to Privacy at Merlin
At Merlin ("we", "us", "our"), we regularly collect and use personal data about consumers who visit our attractions or hotels, or browse our websites. Personal data is any information that can used to identify you as an individual. The protection of your personal data is very important to us, and we understand our responsibilities to handle your personal data with care, to keep it secure and to comply with legal requirements.
Please read this Policy carefully. It provides important information about how we use personal data and explains your legal rights. This Policy is not intended to override the terms of any contract that you have with us (for example, Wi-Fi terms and conditions or annual pass terms) or any rights you might have available under applicable data protection laws.
We will make changes to this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will make sure that you are aware of any significant changes by sending an email message to the email address you most recently provided to us or by posting a notice on each relevant website so that you are aware of the impact to the data processing activities before you continue to engage. We encourage you to regularly check back and review this policy so that you will always know what information we collect, how we use it, and who we share it with.
APPENDIX 1 - LEGAL BASIS FOR PROCESSING
APPENDIX 2 - GLOSSARY
Merlin Entertainments plc ("Merlin") is a British-based entertainment company, with a registered office at Link House, 25 West Street, Poole, Dorset, BH15 1LD, which operates over 100 attractions, and over 20 hotels and holiday villages in 25 countries. Our business is about creating unique, memorable and rewarding visitor experiences. A list of our attractions and a note of the companies that make up the Merlin group which help to achieve this is available at ("Merlin Group").
The entity in the Merlin Group which was originally responsible for collecting information about you will be the Data Controller. Other entities in the Merlin Group may also be Data Controllers where they control the use or processing of such data. There will be a single point of contact for all Merlin Group Data Controllers who can be contacted using the details set in section 11 below.
In relation to potential customers, historic customers and current customers and attraction visitors ("consumers"), we collect the following data:
We will not knowingly collect any personal data about children for the purpose of marketing without making it clear that such information should only be provided with parental consent, if this is required by applicable laws - so Merlin will only use the personal data of children as far as is permitted by law where the required parental or guardian consent has been obtained.
We will use your personal data to:
We may also send you marketing materials as explained in more detail below under Section 6. This process is likely to include profiling, and more information is provided at Section 8 of this Policy about this.
We will also need to use your personal data for purposes associated with our legal and regulatory obligations in relation to health and safety when you visit one of our attractions (in particular when assessing restricted space requirements for wheelchair users or if there is an incident at one of our attractions) and in relation to consumer protection requirements or taxation purposes (for example to respond to any queries in relation to advertising standards and to ensure we accurately report on visitor numbers and/or revenue).
We have to establish a legal ground to use your personal data, so we will make sure that we only use your personal data for the purposes set out in this Section 4 and in Appendix 1 where we are satisfied that:
Before collecting and/or using any special categories of data we will establish an additional lawful ground to those set out above which will allow us to use that information. This additional exemption will typically be:
PLEASE NOTE. If you provide your explicit consent to allow us to process your special categories of data, you may withdraw your consent to such processing at any time. If you choose to withdraw your consent we will tell you more about the possible consequences, including if this means that certain services (in particular where you have applied for a carer pass) can no longer be provided. The withdrawal of your consent in this circumstance shall not affect the lawfulness of the processing based on consent before the withdrawal.
As flagged above, we share data with other Merlin Group companies.
We also share the data with third parties, to help manage our business and deliver services as outlined below. These third parties may from time to time need to have access to your personal data, which include:
Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser.
We may use your personal data to send you direct marketing communications about our attractions, hotels, experiences or our related services. This will be in the form of email, post, SMS or targeted online advertisements.
We limit direct marketing to a reasonable and proportionate level, and we will only send you communications which we think will be interesting and relevant to you, based on the information we have about you.
For the purposes of GDPR our processing of your personal data for direct marketing purposes is based on our Legitimate Interests as further detailed in section 4 and Appendix 1, but where opt-in consent is required by the German Act against Unfair competition in respect of direct marketing by e-mail, SMS or telephone we ask for your prior consent unless we can rely on the soft-opt in in respect of marketing per e-mail (where we will only send marketing to existing customers in relation to products being similar to the ones purchased before unless you have opted out). You have a right to stop receiving direct marketing at any time - you can do this by following the opt-out links in electronic communications (such as emails), or by contacting us using the details in Section 11. The withdrawal of your consent in this circumstance shall not affect the lawfulness of the processing based on consent before the withdrawal.
We also use your personal data for customising or personalising advertisements, offers and content made available to you based on your visits to and/or usage of our attraction websites or other mobile applications, platforms or services, and analysing the performance of those advertisements, offers and content, as well as your interaction with them. We may also recommend content to you based on information we have collected about you and your viewing habits. This constitutes 'profiling', and more information is provided at Section 8 of this Policy about this.
Some entities in the Merlin Group, with whom we may share your data, and our service providers who have access to your personal data, are located outside the European Union. We may also share your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests, in particular, we will either:
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 11 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).
'Automated Decision Making' refers to a decision which is taken through the automated processing of your personal data alone - this means processing using, for example, software code or an algorithm, which does not involve any human intervention. We do not carry out any automated decision making however we do carry out profiling using automated processing to tailor marketing materials for a specific customer.
If you are a consumer that has signed up to receive marketing updates, we may use profiling to ensure that marketing materials are tailored to your preferences and to what we think you will be interested in. In certain circumstances it will be possible to infer certain information about you from the result of profiling, which could include special categories of personal data, but we will not do this unless we have obtained your explicit consent to do so.
In general, we store your personal data for as long as it is necessary to fulfil the purpose for which it was collected, e.g. to fulfil our contract and the services connected with it (see section 4 of this Policy). Where the personal data is no longer needed for the purpose for which they were collected, we delete your personal data with the exception of such data that we are required to retain for the purpose of contractual or statutory (e.g., taxation or commercial law) retention periods which are inter alia based on the German Commercial Code (HGB) and the German Tax Code (AO) stipulating retention periods ranging from 6 up to 10 years. Data that is only retained because it is subject to a retention period is restricted from processing until the period expires and will then be deleted.
Finally, the storage period of your personal data is also subject to statutory limitation periods according to German Civil Code (BGB) which stipulate a maximum of 30 years, whereas the general statutory limitation period is 3 years.
You have a number of rights in relation to your personal data. In summary, you have the right to request access to your data, rectification of any mistakes in our files; erasure of records where no longer required; restriction on the processing of your data, objection to the processing of your data; data portability and various information in relation to any automated decision making and profiling or the basis for international transfers. You also have the right to complain to your supervisory authority (further details of which are set out in Section 11 below). These are defined in more detail as follows:
WHAT THIS MEANS
You can ask us to:
· confirm whether we are processing your personal data;
· give you a copy of that data;
· provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out automated decision making or profiling, to the extent that information has not already been provided to you in this Policy.
You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
Erasure / Right to be Forgotten
You can ask us to erase your personal data, but only where:
· it is necessary to comply with a legal obligation which Merlin is subject to.
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims. In the context of marketing, please note that we will maintain a suppression list if you have opted out from receiving marketing content to ensure that you do not receive any further communications. There are further circumstances stipulated in Art. 17 (3) of the GDPR and Section 35 German Data Protection Act (BDSG-neu) in which we are not required to comply with your erasure request, although these two are the most likely circumstances where we would deny that request.
You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
· you have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal data following a request for restriction, where:
You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where: the processing is based on your consent or the performance of a contract with you; and the processing is carried out by automated means.
You can object to any processing of your personal data which has our 'Legitimate Interests' as its legal basis (see Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our Legitimate Interests. Once you have objected, we have an opportunity to demonstrate that we have compelling Legitimate Interests which override your rights, however this does not apply as far as the objections refers to the use of personal data for direct marketing purposes.
To exercise your rights you can contact us as set out in Section 11. Please note the following if you do wish to exercise these rights:
According to German law (Section 34 BDSG-neu) the right to access does not apply provided personal data are only stored to comply with data retention laws or for data security or data protection purposes and the access would require an unreasonable effort and the processing for other purposes is excluded by appropriate technical and organisational measures.
The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following way:
If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time. In Germany you can inter alia file a complaint at the competent supervisory authority in the federal state of your residence. We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
Type of information collected
The basis on which we use the information
Set up a record on our CRM systems
· Contact Details and Engagement Details
· Performance of a contract
· Legitimate interests (to ensure we have an accurate record of all consumers that we interact with)
Provide client care and support
· Contact Details, Engagement Details and Device Data
· Contact Details, Marketing Preferences
· Legitimate interests (to provide information about Merlin which may be of interest, to create audience segments for the purpose of carrying out targeted marketing, to enrich data which we use to provide marketing content to you in a better, more personalised way)
· Opt-In (where required by national laws (in Germany Section 7 (2) Act against Unfair Competition))
Comply with legal and regulatory obligations
· Legal obligation
Consumer: means an individual who may, who has, or who is purchasing tickets for an Attraction or using Merlin's websites, goods or services, or participating in a prize draw/competition or Merlin experience.
Data Controller: means a natural or legal person which determines the means and purposes of processing of personal data.
Data Subject: means an individual whom the personal data is about.
EEA: means the European Economic Area.
GDPR: means the General Data Protection Regulation, which comes into force on 25 May 2018 and replaces the previous Data Protection Directive 95/46/EC.
Legitimate Interests: this is a ground which can be used by organisations as a lawful basis of processing, for example where personal data is used in ways that could reasonably be expected, or there is a compelling reason for the processing.
Member States: means those countries which are part of the European Union.
Privacy Shield: means a framework which has been adopted to protect the rights of those individuals whose data has been transferred to the US.
Profiling: means to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an entertainment context, such as how likely you are to attend a certain event that we host.
Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.
Thank you for signing up!
Service is unavailable - try again in a moment.