Privacy Policy

OVERVIEW of this policy and privacy commitments at Merlin

At Merlin ("we", "us", "our"), we regularly collect and use personal information about consumers who visit our attractions or hotels or browse our websites. Personal data is any information that can be used to identify you as an individual. The protection of your personal data is very important to us, and we understand our responsibilities to handle your personal data carefully, to keep it secure and to comply with legal requirements.

The purpose of this privacy policy ("Policy") is to provide a clear explanation of when, why and how we collect and use personal data. We've designed it to be as user-friendly as possible and labeled sections to make it easy for you to find the information that's most relevant to you.

Please read this policy carefully. It provides important information about how we use personal data and explains your legal rights. This policy is not intended to override the terms of any contract you have with us (for example, Wi-Fi Terms or Annual Pass Terms) or any rights available under applicable data protection law.

We will make changes to this policy from time to time, for example to keep it up to date or to comply with legal requirements or changes in the way we run our business. We will ensure that you are aware of any material changes by sending an email to the email address you most recently provided to us or by posting a notice on any relevant website so that you are aware of the consequences of the data processing activities before continuing to participate. We encourage you to check and review this policy regularly so that you are always aware of what information we collect, how we use it and who we share it with.

 

Content

  1. WHO is responsible for managing your personal data?
  2. WHAT personal data do we collect?
  3. WHEN do we collect your personal information?
  4. For what PURPOSES do we USE your personal data and what is the LEGAL BASIS?
  5. With whom do we SHARE your personal information?
  6. Direct Marketing
  7. International transfers
  8. Profiling
  9. How long do we keep your personal data?
  10. What are your rights?
  11. Contact and complaints

APPENDIX 1 - LEGAL BASIS FOR PROCESSING

APPENDIX 2 - GLOSSARY

WHO is responsible for managing your personal data?
Merlin Entertainments Limited ("Merlin") is a British entertainment company headquartered at Link House, 25 West Street, Poole, Dorset, BH15 1LD, with over 100 attractions and over 20 hotels and holiday villages in 25 countries. Our business is about creating unique, memorable and enriching visitor experiences. A list of our attractions and a note of the companies that are part of the Merlin Group is available at ("erlin Group")

The responsibility in the Merlin Group that was originally for collecting information about you will be the data controller. Other devices within the Merlin Group may also be data controllers where they are responsible for the use of the processing of such data. There is one connection point for all data controllers within the Merlin Group who can be contacted using the details in section 11 below.

 

  1. WHO is responsible for managing your personal data?
    Merlin Entertainments Limited ("Merlin") is a British entertainment company headquartered at Link House, 25 West Street, Poole, Dorset, BH15 1LD, with over 100 attractions and over 20 hotels and holiday villages in 25 countries. Our business is about creating unique, memorable and enriching visitor experiences. A list of our attractions and a note of the companies that are part of the Merlin Group is available at ("Merlin Group")

    The responsibility in the Merlin Group that was originally for collecting information about you will be the data controller. Other devices within the Merlin Group may also be data controllers where they are responsible for the use of the processing of such data. There is one connection point for all data controllers within the Merlin Group who can be contacted using the details in section 11 below.

  2. WHAT personal data do we collect?
    With regard to potential customers, former customers and current customers and attraction visitors ("consumers"), we collect the following data:

    Information you provide by filling out forms on our site. This includes information provided at the time of registering to use our site, subscribing to our service, posting material or requesting further services. We will also ask you for information when you report a problem with our site.
    Details of any issues if you contact us with a question or concern.
    When you complete a survey to let us know how your experience with our attractions or hotels was, and how we can improve, although you don't have to respond to them.
    Details of transactions you make through our site and the fulfillment of your bookings, including your credit/debit card details.
    Details of your visits to our site, including but not limited to traffic data, location data, weblogs and other communication data, whether required for our own billing purposes or otherwise and the resources you use.
    Your name, address, telephone number and/or email address to contact you about your booking or in the unlikely event that we need to contact you urgently about your booking.

    This includes collecting contact information such as your name, address, date of birth, telephone number and email address, agreement details including your purchase history and visit history to our attractions, your marketing preferences including interests/marketing list assignments, record of consents or marketing objections, website data, device data including IP addresses and details about your browsing history, browser type and session frequency and cookies - see our separate cookie policy for more information about cookies.

  3. WHEN do we collect your personal information?

    Consumers

    We will collect information directly from you when you sign up for a newsletter from an attraction website, when you purchase a ticket or pass, where you make a telephone booking, where you sign up for Wi-Fi at one of our attractions, when you book a stay at one of our hotels, where you fill out a survey, or where you contact us with questions or suggestions.
    We also monitor and record telephone calls to register your opt-in to receive marketing content (where necessary, see section 6 for more information), when you contact us directly
    In these circumstances, where someone has applied for a family card or entered into a competition on your behalf, we will be indirectly provided with information about you by a family member or other third person.

    In emergency situations, we will also collect information about you indirectly from other sources, which we believe is necessary to ensure the safety of our attractions. These other resources may include public records and social media platforms.

    We will not knowingly collect personal information about children for marketing purposes without making it clear that such information should only be provided with parental consent, where required by applicable law - so Merlin will only use children's personal information as permitted by law, when the required parental or guardian consent has been obtained.

     

  4. For what PURPOSES do we USE your personal data and what is the LEGAL BASIS?

    We will use your personal information to;

      • ensure that content from our site is presented in the most effective manner for you and for your computer.
      • provide you with information, products or services that you request from us or which we think may be of interest to you, where you have consented to be contacted for such purposes.
      • carry out our obligations arising from contracts entered into between you and us.
      • allow you to participate in interactive features of our service, when you choose to do so.
        notify you of changes to our service.

    We may also send you marketing materials (where we have the appropriate permissions, as further explained in Section 6 below). This process is likely to include profiling and more information about this is provided in Section 8 of this policy. We will also need to use your personal information for purposes related to our legal and regulatory obligations.

    We need to establish a legal ground for using your personal data, so we will ensure that we use your personal data only for the purposes set out in this Section 4 and in Appendix 1, where we are satisfied that:

      • our use of your personal information is necessary to perform a contract or take steps to enter into a contract with you (for example, to manage your booking for attraction tickets), or
      • our use of your personal information is necessary to comply with a relevant legal or regulatory obligation to which we are subject (for example, to comply with ICO (Personal Data Authority/DPA) requirements), or
      • our use of your personal information is necessary to support "legitimate interests" that we have as a business (for example, to improve our products or perform analytics on our databases), provided it is always conducted in a manner that is proportionate, and that respects your privacy rights. Where required by individual laws, for example privacy and electronic communications regulations, we will also ensure that you have chosen to send you marketing materials - see section 6 below for more information. see. Appendix 1 for more information about our legitimate interests.

    Before we collect and/or use special categories of data, we will determine an additional legal ground for the data described above, which will allow us to use that information. This additional exemption is usually:

      • your explicit consent;
      • the establishment, exercise or defense by us or third parties of legal claims; or
      • a specific exception under local law of EU member states and other countries implementing the GDPR.

    PLEASE NOTE: If we have previously informed you, we relied on consent as the basis for our processing activities, we will not rely on this legal basis in the future unless we have stated so in this policy.

    PLEASE NOTE: If you give your express consent to allow us to process your special categories of data, you may withdraw your consent to such processing at any time. Please note, however, that if you choose to withdraw your consent, we will tell you more about the possible consequences, including whether this means that certain services (particularly where you have applied for a health care card) can no longer be provided ).

     

  5. Who do we SHARE your personal information with?

    As noted above, we share information with Merlin Group companies.

    We also share the data with third parties to help manage our business and provide services. These parties may have access to your personal information and third parties from time to time:

    service providers, who help manage our IT and back office systems, and assist with our Customer Relationship Management activities, especially Accesso and Facebook.
    our regulators, including the ICO (Personal Data Authority/DPA), other regulators and law enforcement agencies in the E.U. and all over the world,
    lawyers and other professional service companies (including our accountants).

    Even if we sell part of our business, we must also transfer your personal data to the buyer.

  6. Direct Marketing

    We may use your personal information to send you direct marketing communications about our attractions, hotels, experiences or our related services. This takes the form of e-mail, post, SMS or targeted online advertisements.

    If we require explicit opt-in consent for direct marketing in accordance with privacy and electronic communications regulations, we will ask for your consent. Otherwise, for non-electronic marketing or where we may rely on the soft opt-in waiver under the Privacy and Electronic Communications Regulations, we will rely on our legitimate interests for the purposes of GDPR (GDPR) as further set out in section 4 and Appendix 1.

    You have the right to stop receiving direct marketing at any time - you can do this by following the opt-out links in electronic communications (such as emails), or by contacting us using of the details in Section 11.

    We also use your personal information to customize or personalize advertisements, offers and content available to you based on your visits to and/or use of our attractions websites or other mobile applications, platforms or services, and to analyze performance of these advertisements, offers and content, as well as your interaction with them. We may also recommend content to you based on information we have collected about you and your viewing habits. This constitutes 'profiling' and more information about this is provided in Section 8 of this Policy

  7. International transfers

    Some of the entities in the Merlin Group with whom we share your information and our service providers who have access to your personal information are located outside the European Union. We may also share your personal information abroad, for example if we receive a legal or regulatory request from a foreign law enforcement agency. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests, in particular we will either:

    only transfer your personal data to countries that are recognized as providing an adequate level of legal protection in accordance with Article 45 of the GDPR; or
    ensure that transfers outside the European Union are subject to appropriate legal protection - for example the EU Model Clauses pursuant to Article 46(2) of the GDPR and/or the EU-U.S. Privacy Shield for the protection of personal data transferred to the US (for more information, see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu -us-privacy-shield_en).
    you have the right to ask us for more information about the security measures we have put in place as stated above. Please contact us as set out in Section 11 if you would like more information or would like to request a copy documenting security (which can be changed to ensure confidentiality).

  8. Profiling

    "Automated decision making" refers to a decision that is made only by the automated processing of your personal data - this means processing using, for example, software code or an algorithm, which does not require human intervention. We do not perform automated decision making, but we do perform automation processing to tailor marketing materials to a specific customer.

    If we have permission to send marketing updates to a consumer, we can use profiling to ensure that the marketing materials are tailored to your preferences and what we think interests you. In certain circumstances, it may be possible to deduce special categories of personal data about you from the profiling result, which may include special categories of personal data, but we will not do so unless we have obtained your express permission to do so.

  9. How long do we keep your personal information?

    We will retain your personal information for as long as is reasonably necessary for the purposes set out in Section 4 of this Policy. Especially when there has been no consumer interaction (e.g. a purchase, email opened, newsletter sign up), a record will be archived after 1 year and deleted after 3 years.

    When we are required to do so in order to comply with legal, regulatory, fiscal or accounting requirements, we will retain your personal information for a longer period of time, but only when permitted, including so that we have an accurate record of your transactions with us in in the event of complaints or challenges, or if we reasonably believe that there is an opportunity to take legal action regarding your personal data or transactions.

    We maintain a data retention policy that we apply to the records we manage. If your personal information is no longer required, and we have no legal requirement to keep it, we will ensure that it is securely deleted or stored in a way that is anonymized, and the personal information will no longer be stored by the company. be used.

  10. What are your rights?

    You have a number of rights in relation to your personal data. In summary, you have the right to request: access to your data; rectification of errors in our files; clearing registry that are no longer needed; restriction of the processing of your data; object to the processing of your data; data transfer; and miscellaneous information related to automated decision-making and profiling or the basis for international transfers. You also have the right to lodge a complaint with your supervisory authority (further details are set out below in Section 11). These are defined in more detail as follows:

Right

WHAT THIS MEANS

Access

You can ask us for:

Confirm whether we are processing your personal data;

provide you with a copy of this data;

Provide you with other information about your personal data, such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it, what rights you have how to make a complaint, where we got your information from and whether we have performed any automated decision-making or profiling where such information has not previously been provided to you in this policy.

Correction

You can ask us to correct personal data. We can try to remove the correctness of the data, it is used.

Erase / right to be forgotten

You can ask us to delete your personal data, but only if:

they are no longer necessary for the purposes for which they were collected; or
you have withdrawn your consent (where the data processing was based on consent); or
it follows a successful right to object (see 'Objection' below); or

· they have been processed unlawfully; or

It is necessary to comply with a legal obligation to which Merlin is subject.

We are not obliged to comply with your request to erase your personal data, if the processing of your personal data is necessary: ​​to comply with a legal obligation; or for the establishment, exercise or defense of legal claims, relating to freedom of expression or for archival purposes in the public interest, scientific or historical research purposes or statistical purposes. In the context of marketing, keep the following in mind: We maintain a suppression list if you no longer wish to receive marketing materials, to ensure that you do not receive further communications.

Constraint

You can ask us to restrict (i.e. keep, but not use) your personal information, but only if:

· its accuracy is contested (see 'Correct' below), to enable us to verify its accuracy; or
the processing is unlawful, but you do not want it to be erased; or
they are no longer necessary for the purposes for which they were collected, but we still need them to establish, exercise or defend legal claims; or

you have exercised the right to object and the verification of compelling reasons is pending.

We may continue to use your personal information upon request for restriction, where:

· we have your consent; or
· to establish, exercise or defend legal claims; or
· to protect the rights of another natural or legal person.

Transferability

You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'transferred' to another data controller, but in each case only if: the processing is based on your consent or the performance of a contract with you; and the processing is carried out by automated means.

Objection

 

You can object to any processing of your personal data which is based on our 'legitimate interests' (see Appendix 2 for more information), if you believe that your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we will have the opportunity to demonstrate that we have compelling legitimate interests that override your rights, but this will not apply to the extent that the objections relate to the use of personal data for direct marketing purposes.
  • To exercise your rights, please contact us as set out in Section 11. If you wish to exercise these rights, please note the following:
  • We take the confidentiality of all files containing personal data seriously and reserve the right to ask for proof of your identity if you make a request.
  • K We do not charge a fee to exercise your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances.
  • We aim to respond to valid requests within one month, unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we need more than a month. We may ask if you can help us by telling us exactly what you would like to receive or what you are concerned about. This will help us to process your request faster.
  • Local laws, including in the UK, provide additional exemptions, notably the right of access, where personal information may be withheld from you under certain circumstances, such as where it is under the legal privilege.

11. Contact and complaints

The primary point of contact for all matters arising under this Policy, including requests to exercise data subject rights, is our data protection officer. The data protection officer can be contacted in the following ways:

Data.Protection@merlinentertainments.biz

If you have a complaint or concern about how we use your personal information, please contact us in the first instance and we will try to resolve the issue as quickly as possible. You also have the right to lodge a complaint with your national data protection supervisory authority at any time. In the UK, the data protection supervisory authority is the ICO (Personal Data Authority/DPA) (https://ico.org.uk/). We ask you to resolve any issues with us first, although you have the right to contact your supervisory authority at any time.

You have a number of rights in relation to your personal data. In summary, you have the right to request: access to your data; rectification of errors in our files; clearing registry that are no longer needed; restriction of the processing of your data; object to the processing of your data; data transfer; and miscellaneous information related to automated decision-making and profiling or the basis for international transfers. You also have the right to lodge a complaint with your supervisory authority (further details are set out below in Section 11). These are defined in more detail as follows:



APPENDIX 1 - LEGAL BASIS FOR PROCESSING

Activity

Nature of the information collected

Using the basic information

Consumer

Setting up a registry in our CRM systems

·      Contact details and agreement details

·     Executing a contract

Legitimate interests (to ensure that we have an accurate record of all consumers with whom we communicate)

Provide customer care and support

·     Contact details, agreement details and device details

·      Executing a contract

 

Marketing

 Contact Information, Marketing Preferences

Legitimate interests (to provide information about Merlin that may be of interest, to create audience segments for the purpose of conducting targeted marketing, to enrich data, which we use to deliver marketing content to you in a better, more personalized way to deliver)

· Opt-in (if required by privacy and electronic communications regulations)

Comply with legal and regulatory obligations

·    Contact details and agreement details

·    Legal obligation

  

APPENDIX 2 - GLOSSARY

 

Consumer: A person who is about to purchase, who has or is purchasing tickets to an attraction, or Merlin goods or services, or who enters a prize drawing/competition or Merlin experience.

Data controller: a natural of the means and of the processing of personal data.

Data subject: a person about whom the personal data is.

EEA: the European Economic Area.

GDPR (AVG): the General Data Protection Regulation, which will replace and replace the previous Directive 95/46/EC on data protection on 25 May 2018.

ICO (DPA): The Office of the Information Commissioner regulates the processing of personal data by all organizations in the UK.

Legitimate Interests: This is a ground that can be used by organizations as a legal ground for processing, for example where personal data is used in a way that can reasonably be expected, there is a compelling reason for the processing.

Member States: the countries that are part of the European Union.

Privacy Shield: A framework adopted to protect the rights of individuals whose data is submitted to the US.

Profiling: Analyzing your personal data to evaluate your behavior or to predict things about you that are relevant in an entertainment context, such as how likely you are to attend a particular event that we host.

Special categories of data: any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.

Service Providers: These are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide/support 'Cloud-based' IT applications or systems, meaning that your personal data is hosted on their servers, but under our control and instruction. We require all our service providers to respect the confidentiality and security of personal data.
Health