Skip to main content

Privacy Policy

LEGOLAND® Windsor Resort Privacy Policy

OVERVIEW of this Policy and Commitments to Privacy at Merlin

At Merlin ("we", "us", "our"), we regularly collect and use personal data about consumers who visit our attractions or hotels, or browse our websites. Personal data is any information that can used to identify you as an individual. The protection of your personal data is very important to us, and we understand our responsibilities to handle your personal data with care, to keep it secure and to comply with legal requirements.

The purpose of this privacy policy ("Policy") is to provide a clear explanation of when, why and how we collect and use personal data. We have designed it to be as user friendly as possible, and have labelled sections to make it easy for you to find the information that is most relevant to you. 

Please read this Policy carefully. It provides important information about how we use personal data and explains your legal rights. This Policy is not intended to override the terms of any contract that you have with us (for example, Wi-Fi terms and conditions or annual pass terms) or any rights you might have available under applicable data protection laws.

We will make changes to this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will make sure that you are aware of any significant changes by sending an email message to the email address you most recently provided to us or by posting a notice on each relevant website so that you are aware of the impact to the data processing activities before you continue to engage. We encourage you to regularly check back and review this policy so that you will always know what information we collect, how we use it, and who we share it with.

Contents

  1. WHO is responsible for looking after your personal data?
  2. WHAT personal data do we collect?
  3. WHEN do we collect your personal data?
  4. What PURPOSES do we USE your personal data for and what is the LEGAL BASIS?
  5. Who do we SHARE your personal data with?
  6. Direct Marketing.
  7. International Transfers.
  8. Profiling.
  9. Application for disabled registration ID card.
  10. How long do we keep your personal data?
  11. What are your rights?
  12. Contact and complaints
  13. APPENDIX 1 - LEGAL BASIS FOR PROCESSING.
  14. APPENDIX 2 - GLOSSARY

1. WHO is responsible for looking after your personal data?

Merlin Entertainments Limited ("Merlin") is a British-based entertainment company, with a registered office at Link House, 25 West Street, Poole, Dorset, BH15 1LD, which operates over 100 attractions, and over 20 hotels and holiday villages in 25 countries. Our business is about creating unique, memorable and rewarding visitor experiences. A list of our attractions and a note of the companies that make up the Merlin group which help to achieve this is available at ("Merlin Group").

The entity in the Merlin Group which was originally responsible for collecting information about you will be the Data Controller. Other entities in the Merlin Group may also be Data Controllers where they control the use or processing of such data.  There will be a single point of contact for all Merlin Group Data Controllers who can be contacted using the details set in section 11 below.

2. WHAT personal data do we collect?

In relation to potential customers, historic customers and current customers and attraction visitors ("consumers"), we collect the following data:

  • Information that you provide by filling in forms on our site. This includes information provided at the time of registering to use our site, via our mobile app (more detail listed in section 2.1), subscribing to our service, posting material or requesting further services. We will also ask you for information when you report a problem with our site.
  • Details of any concerns if you contact us with a query or issue.
  • When you complete a survey to tell us how your experience of our attractions or hotels was and how we can improve, although you do not have to respond to them.
  • Details of transactions you carry out through our site and of the fulfilment of your bookings including your credit/debit card details.
  • Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.
  • Your name, address, telephone number and/or email address in order to contact you with details of your booking or in the unlikely event that we need to contact you urgently about your booking.

This includes the collection of contact details such as your name, address, date of birth, telephone number and email address, special categories of personal data details including a consultant or GP letter, a photocopy of your blue badge, a letter from the Department of Work and Pensions (“DWP”), Disability Living Allowance (“DLA”), or Personal Independence Payment (“PIP”), identification details including a headshot of yourself, engagement details including your purchase history and attraction visit history, your marketing preferences including interests / marketing list assignments, record of permissions or marketing objections, website data, device data including IP addresses and details about your browsing history, browser type, and session frequency and cookies - please see our separate cookie policy for further details on cookies.

2.1 Information Automatically Collected In The LEGOLAND Windsor Resort Mobile App
When you use the App, we automatically collect specific data that are required for the use of the App. This data includes:

  • Location, accuracy and date/time periodically throughout the day (only while at the attraction)
  • Each visit to the resort including date/time first seen and last seen
  • Operating system
  • Operating system version
  • Device name
  • Battery level
  • Battery status (charging or not)
  • Bluetooth status (on or off)
  • Mobile network carrier name
  • Currently connected Wi-Fi SSID
  • Location permission status (on or off)
  • IP address
  • User's preferred locale
  • Current time zone
  • App version and build number
  • App interactions (captured as events fed to Firebase Analytics and Keen IO)
  • Date/time entered/exited geofence region (if you enter an offered geofence region)

This data is automatically sent to us, (1) so that we can make the service and the associated functions available to you; (2) to improve the functions and features of the App and (3) to prevent misuse and to rectify malfunctions and (4) to offer you a personalized guest experience. This data processing is justified on the basis that (1) the processing is required in order to fulfil the requirements of the contract between you as the data subject and us in accordance with Art. 6(1)(b) GDPR for the use of the App, or (2) we have a legitimate interest in guaranteeing the functionality and fault-free operation of the App and being able to offer a service that is in line with the requirements of the market and with the interests of the users and prevails over your rights and interests in the protection of your personal data in accordance with Art. 6(1)(f) GDPR.

3. WHEN do we collect your personal data?

Consumers

  • We will collect information from you directly when you sign up for a newsletter from an attraction website, when you purchase a ticket or pass, where you make a phone booking, where you sign up for Wi-Fi at one of our attractions, when you book to stay at one of our hotels, where you complete a survey, or where you contact us with questions or suggestions.
  • We also monitor and record telephone calls in order to record your opt-in to receive marketing content (where required, see section 6 for further details) when you call us directly.
  • Where someone has applied for a family pass, or entered into a competition on your behalf, information about you in those circumstances will be provided to us indirectly by a family member or another third person. 

In emergency circumstances, we will also collect information about you indirectly from other sources where we believe this is necessary to help ensure the security of our attractions. These other sources may include public registers and social media platforms.

We will not knowingly collect any personal data about children for the purpose of marketing without making it clear that such information should only be provided with parental consent, if this is required by applicable laws - so Merlin will only use the personal data of children as far as is permitted by law where the required parental or guardian consent has been obtained.

4. What PURPOSES do we USE your personal data for and what is the LEGAL BASIS?

We will use your personal data to:

  • ensure that content from our site is presented in the most effective manner for you and for your computer.
  • to assess whether you are eligible for a disabled access registration ID card.
  • provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
  • carry out our obligations arising from any contracts entered into between you and us.
  • allow you to participate in interactive features of our service, when you choose to do so.
  • notify you about changes to our service.

We may also send you marketing materials (where we have appropriate permissions as explained in more detail below under Section 6)This process is likely to include profiling, and more information is provided at Section 8 of this Policy about this. We will also need to use your personal data for purposes associated with our legal and regulatory obligations.

We have to establish a legal ground to use your personal data, so we will make sure that we only use your personal data for the purposes set out in this Section 4 and in Appendix 1 where we are satisfied that:

  • our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to manage your booking for entry tickets to an attraction), or
  • out use of your personl data based on your conent (e.g. when you apply for a disabled registration ID card), or
  • our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we are subject to (e.g. to comply with ICO requirements), or
  • our use of your personal data is necessary to support 'Legitimate Interests' that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is always carried out in a way that is proportionate, and that respects your privacy rights. Where required under separate laws, for example the Privacy and Electronic Communications Regulations, we will also ensure that you have opted in to send you marketing materials - see section 6 below for more details. Please see Appendix 1 for more details about our Legitimate Interests.

Before collecting and/or using any special categories of data we will establish an additional lawful ground to those set out above which will allow us to use that information. This additional exemption will typically be:

  • your explicit consent
  • the establishment, exercise or defence by us or third parties of legal claims; or
  • a specific exemption provided under local laws of EU Member States and other countries implementing the GDPR.

PLEASE NOTE: If we have previously told you that we were relying on consent as the basis of our processing activities, going forward we will not be relying on that legal basis unless we have said that are in this Policy.

PLEASE NOTE. If you provide your consent or explicit consent to allow us to process your personal data or your special categories of data, you can withdraw your consent to such processing at any time. However, you should be aware that if you choose to withdraw your consent we will tell you more about the possible consequences, including if this means that certain services (in particular where you have applied for a disabled registration ID Card pass) can no longer be provided).

5. Who do we SHARE your personal data with?

As flagged above, we share data with other Merlin Group companies.

We also share the data with third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal data, and include:

  • service providers, who help manage our IT and back office systems, and assist with our Customer Relationship Management activities, in particular Salesforce, Avius Insight, Accesso, Facebook, Instagram, Mediacom, Zendesk & Holiday Extras.
  • our mobile app team, Attractions.io
  • our website development agency, Isobar
  • our printing agencies, The Leaflet Company and Adare International
  • our regulators, which include the ICO, as well as other regulators and law enforcement agencies in the E.U. and around the world,
  • solicitors and other professional services firms (including our auditors).

Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser.

We are required by the UK Government to hold and potentially share basic information about our visitors as part of NHS Test and Trace to help stop the spread of COVID-19.

6. Direct Marketing

We may use your personal data to send you direct marketing communications about our attractions, hotels, experiences or our related services.  This will be in the form of email, post, SMS or targeted online advertisements.

Where we require explicit opt-in consent for direct marketing in accordance with the Privacy and Electronic Communications Regulations we will ask for your consent. Otherwise, for non-electronic marketing or where we can rely on the soft opt-in exemption under the Privacy and Electronic Communications Regulations, we will be relying on our Legitimate Interests for the purposes of GDPR as further detailed in section 4 and Appendix 1.

You have a right to stop receiving direct marketing at any time - you can do this by following the opt-out links in electronic communications (such as emails), or by contacting us using the details in Section 11. 

We also use your personal data for customising or personalising advertisements, offers and content made available to you based on your visits to and/or usage of our attraction websites or other mobile applications, platforms or services, and analysing the performance of those advertisements, offers and content, as well as your interaction with them. We may also recommend content to you based on information we have collected about you and your viewing habits. This constitutes 'profiling', and more information is provided at Section 8 of this Policy about this.

7. International Transfers

Some entities in the Merlin Group, with whom we share your data, and our service providers who have access to your personal data, are located outside the European Union. We may also share your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests, in particular we will either:

  • only transfer your personal data to countries which are recognised as providing an adequate level of legal protection in accordance with Article 45 of the GDPR; or
  • ensure that transfers outside the European Union are subject to an appropriate legal safeguard - for example, the EU Model Clauses pursuant to Article 46(2) of the GDPR and/or the EU - U.S. Privacy Shield for the protection of personal data transferred to the US (for further details, please see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en).

You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 11 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).

8. Profiling

'Automated Decision Making' refers to a decision which is taken through the automated processing of your personal data alone - this means processing using, for example, software code or an algorithm, which does not involve any human intervention. We do not carry out any automated decision making, however we do carry out profiling using automated processing to tailor marketing materials for a specific customer.

Where we have permissions to send a consumer marketing updates, we may use profiling to ensure that marketing materials are tailored to your preferences and to what we think you will be interested in.  In certain circumstances it will be possible to infer certain information about you from the result of profiling, which could include special categories of personal data, but we will not do this unless we have obtained your explicit consent to do so.

9. Application for a disabled registration ID card

As part of this application, we will ask you for information so that we can check to see whether you are eligible for a disabled registration ID card and for administration and granting of the disabled registration ID card.  The personal information we collect about you is treated slightly differently depending on what type of information it is. 

You will have explicitly consented to our use of the personal information relating to your disability and you have the right to withdraw consent (explained above).  Depending on what personal information you choose to provide us, we will be collecting the following special categories of data from you:

  • consultant or GP letter detailing your disability or the individual you are applying for
  • photocopy of your blue badge, or the individual you are applying for
  • a letter from the DWP, DLA, or PIP stating you are entitled to a higher rate or enhanced rate mobility allowance or the individual you are applying for

Other personal information we will collect about you (but that is not special categories of personal data) is:

  • a photo headshot of yourself or the individual you are applying for
  • your name, address and contact information or the individual you are applying for

If you have made an application on behalf of a child or another adult, on the basis of a disability, then you will have explicitly consented to our use of the personal information that relates to the other adults or child's disability and you will have the right to withdraw consent (explained above). The information we collect is listed directly above.

As part of the application, you may also submit personal information about yourself (depending on whether you are carrying out the application for yourself or on behalf of another) and that we require in our legitimate interest. This includes the information list directly above.

Any personal information that is provided in and during the application process is used only for the purpose of reviewing the application and granting a disabled registration ID card.

We understand how important special categories of data is, so we will not share your special categories of data with any other person other than its supplier, Avius (registered in England and Wales with registration number: 05781390 and registered address at Dean Park House, 8-10 Dean Park Crescent, Bournemouth, Dorset, England, BH1 1HL ) who provide Merlin with survey and customer experience management software.  Avius will only store the special categories of personal data for Merlin to use in its assessment of your application. 

10. How long do we keep your personal data?

We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In particular, where there has been no interaction from a consumer (e.g. a purchase, email open, newsletter sign up), a record will be archived after 1 year and deleted after 3 years.

Where we are required to do so to meet legal, regulatory, tax or accounting requirements, we will retain your personal data for longer periods of time, but only where permitted to do so, including so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a possibility of legal action relating to your personal data or dealings.

We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required and we do not have a legal requirement to retain it, we will ensure it is either securely deleted or stored in a way such that it is anonymised and the Personal Data is no longer used by the business.

With regard to the special categories of personal data we process as detailed under section 9 above (this includes the special categories of personal data stored by Avius) Merlin will destroy such data 4 weeks from receiving the special categories of personal data.

11. What are your rights?

You have a number of rights in relation to your personal data. In summary, you have the right to request: access to your data; rectification of any mistakes in our files; erasure of records where no longer required; restriction on the processing of your data; objection to the processing of your data; data portability; and various information in relation to any automated decision making and profiling or the basis for international transfers.  You also have the right to complain to your supervisory authority (further details of which are set out in Section 11 below).   These are defined in more detail as follows:

RIGHT WHAT THIS MEANS
Access You can ask us to:
  • confirm whether we are processing your personal data;
  • give you a copy of that data;
  • provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out automated decision making or profiling, to the extent that information has not already been provided to you in this Policy.
Rectification You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
Erasure / Right to be Forgotten You can ask us to erase your personal data, but only where:
  • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where the data processing was based on consent); or
  • it follows a successful right to object (see 'Objection' below); or
  • it has been processed unlawfully; or
  • it is necessary to comply with a legal obligation which Merlin is subject to.
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims, in relation to the freedom of expression or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In the context of marketing, please note that we will maintain a suppression list if you have opted out from receiving marketing content to ensure that you do not receive any further communications.
Restriction You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
  • its accuracy is contested (see 'Rectification' below), to allow us to verify its accuracy; or
  • the processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.
  • We can continue to use your personal data following a request for restriction, where:
  • we have your consent; or
  • to establish, exercise or defend legal claims; or
  • to protect the rights of another natural or legal person.
Portability You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where: the processing is based on your consent or the performance of a contract with you; and the processing is carried out by automated means.
Objection You can object to any processing of your personal data which has our 'Legitimate Interests' as its legal basis (see Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our Legitimate Interests. Once you have objected, we have an opportunity to demonstrate that we have compelling Legitimate Interests which override your rights, however this does not apply as far as the objections refers to the use of personal data for direct marketing purposes.

 To exercise your rights you can contact us as set out in Section 11. Please note the following if you do wish to exercise these rights:

  • Identity. We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
  • Fees. We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances.
  • Timescales. We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
  • Exemptions. Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.

12. Contact and complaints

The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following way: Data.Protection@merlinentertainments.biz

To exercise your data subject rights, please complete the request form available here.

If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time. In the UK, the supervisory authority for data protection is the ICO (https://ico.org.uk/). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time. 

 

APPENDIX 1 - LEGAL BASIS FOR PROCESSING

Activity

Type of information collected

The basis on which we use the information

Consumer

Set up a record on our CRM systems

Contact Details and Engagement Details

  • Performance of a contract

  • Legitimate interests (to ensure we have an accurate record of all consumers that we interact with)

Provide client care and support

Contact Details, Engagement Details and Device Data

  • Performance of a contract

Marketing

Contact Details, Marketing Preferences

  • Legitimate interests (to provide information about Merlin which may be of interest, to create audience segments for the purpose of carrying out targeted marketing, to enrich data which we use to provide marketing content to you in a better, more personalised way)

  • Opt-In (where required under the Privacy and Electronic Communications Regulations)

Comply with legal and regulatory obligations

Contact Details and Engagement Details

  • Legal obligation

Application for a disabled registration ID card

  • A photo headshot- consultant or GP letter delating relevant disability

  • a photocopy of a  blue badge

  • a letter from the DWP, DLA, or PIP stating entitlement to a higher rate or enhanced rate mobility allowance

  • name, address and contact details

  • Legitimate interest (name, address and contract details)

  • Consent (photo head shot, consultant or GP letter detailing relevant disability, a photocopy of a blue badge, a letter from the DWP, DLA, or PIP stating entitlement to a higher rate or enhanced rate mobility allowance)

  • Explicit consent – for processing special categories of personal data (consultant or GP letter detailing relevant disability, a photocopy of a blue badge, a letter from the DWP, DLA, or PIP stating entitlement to a higher rate or enhanced rate mobility allowance

 

No.

Purpose for processing

The lawful basis we rely on

 

Service Delivery

To provide guests with the products, services or information you request from Merlin, and for related purposes such as delivering customer service, handling queries and complaints, establishing and maintaining contractual relations.

Merlin will process your personal data in accordance with its legal obligations and legitimate interests to deliver its services to you.

 

Operating Competitions, Prize Draws and other Promotions

To administer competitions and rewards to our guests we may use our website and social media accounts

It is necessary for Merlin to use your personal data to perform our obligations in accordance with any contract that we may have with you or where it is in our legitimate interest to use your personal data to enable us to administer a Merlin competition or promotion effectively and fairly in line with our own business practices. 

 

Payment Services

 

To operate electronic payment processes  

We have legal and regulatory obligations to ensure that we process certain personal data when facilitating payment transactions.

 

Photography and Film

Some attractions offer photography services during your visit.

Where relevant for publishing appropriate internal or external communications or publicity or marketing material including via social media in appropriate circumstances;

The company also has a legitimate interest in promoting and marketing its brand, whether to prospective employees or prospective customers, both of which support the Company's immediate and long-term business goals and outcomes. 

Guests have the option to purchase their own photographs at certain attractions. Notices are in place where photography services are in operation.

 

Deliver marketing communications by email, offers and newsletters to you

To deliver marketing communications, offers and newsletters to you .

Merlin will rely upon your explicit consent to send you marketing material. All of Merlin’s marketing correspondence has the option for you to ‘unsubscribe’ from our communications, at any time.

 

To deliver marketing to guests and prospective leads  on social media 

Merlin and its third party partners may show you advertising on social media, that is tailored to you.

 

If you are a user of social media, Merlin may ask the third-party providers of those platforms to find other registered users of their services who share similar interests and characteristics to you, which will be based on information that the third party holds about you and other registered users of its platform. This is known as advertising to a ‘lookalike’ audience advertising because Merlin are seeking to advertise to other people who ‘look like’ you. This advertising method is based on data that you as user of social media have provided to the platform independently and is also dependent upon the privacy settings you have associated to your social media account.

(for more information click here

All Facebook users have the opportunity to set their preferences for their marketing options.

Where we use your personal data to display online personal advertising to you, we rely on the consent or our legitimate interests to promote our website and services and/or attractions to you.

We will only share your Personal Data with the third-party providers of any social media platform so that we can advertise our available services to you when you use those platforms only where you have provided your consent or where it is otherwise in our legitimate interests to do so in order to promote Merlin services.

 

Safety, security and preventing and detecting inappropriate or unlawful activities

Safety and security including the use of CCTV at our attractions; satisfying the Company's regulatory or other obligations preventing, detecting and investigating a wide range of activities and behaviours and liaising with regulatory authorities

Some of this processing is necessary for the compliance with legal obligations to which the Company is subject including health and safety laws, our duty of care and regulatory laws to which the Company is subject.

Additional processing is necessary for the purpose of the legitimate interests pursued by the Company.

The Company has a legitimate interest in ensuring that its business, guests, employees and systems are protected and that action is taken to mitigate risk and to prevent and detect matters which may put the Company or its business or stakeholders at risk. 

This includes carrying out risk assessments; detecting and preventing crimes or criminal activity or other unlawful or unethical activity; ensuring that only appropriate employees are engaged in our business; and ensuring compliance other legal or regulatory requirements placed upon us or related official guidance.

It also includes providing ways to report conduct or compliance issues and the appropriate consideration and investigation of matters drawn to the Company's attention.

It also includes facilitating, controlling and restricting access to appropriate locations and systems. To be effective these must be monitored and kept up to date. Effective business protection is important for business continuity and to protect the Company's reputation. This supports the Company's immediate and long-term business goals and outcomes.

 

ANPR Recognition

Some of our attractions have automatic number place recognition in place to monitor entry to our car park facilities

Depending on local laws, we will rely upon consent, performance of a contract or legitimate interest to process this information.

 

Business information protection

Protecting the private, confidential and proprietary information of the Company, its employees, its guests and third parties

This processing is necessary for the purpose of the legitimate interests pursued by the Company.

The Company has a legitimate interest in ensuring that its business, guests, employees and systems are protected.

This includes protecting our assets and the integrity of our systems; and detecting and preventing loss of confidential and proprietary information.

This is also important to comply with our obligations to our guests and staff to protect their information.

Effective business protection is important for business continuity and to protect the Company's reputation. This supports the Company's immediate and long-term business goals and outcomes.

 

Legal compliance

Complying with laws and regulation applicable to the Company

This processing is necessary for the compliance with legal obligations to which the Company is subject including those laws set out.

 

 

Commercial transactions or outsourcing

Planning, due diligence and implementation in relation to a commercial transaction or service transfer involving the Company that impacts on your relationship with the Company

Some of this processing is necessary for the compliance with legal obligations to which the Company is subject.

Additional processing is necessary for the purpose of the legitimate interests pursued by the Company.

The Company has a legitimate interest in managing its business operations in the most effective way. The Company needs to make decisions relating to the future of its business in order to preserve its business operations or grow its business or maximise efficiency and effectiveness.

In the event that the Company makes a decision to outsource a function or acquire or transfer a business or part of a business the Company and the third party with whom the Company is seeking to transact each have a legitimate interest in ensuring that the services offered to guests are upheld throughout any transition period.

Business change programmes and transformation support business continuity and improvement and support the Company in achieving its long-term business goals and outcomes. 

 

Business reporting

For business operational and reporting documentation such as accounting, auditing, insurance, compliance assessments, business development requirements, management and operational reporting, in accordance with business growth and operational activities

Some of this processing is necessary for the compliance with legal obligations to which the Company is subject including statutory Company reporting obligations and corporate governance requirements.

Additional processing is necessary for the purpose of the legitimate interests pursued by the Company.

The Company has a legitimate interest in managing its workforce and operating its business, ensuring appropriate governance and controls are in place and to measure and report on financial management and business performance.

This includes appropriate preparation of management information reports; financial accounts and other reports including in relation to HR metrics such as retention or attendance; reporting for internal and external governance; and liaising with third parties such as investors or finance providers.

Effective management information and reporting is important for effective management of the business, risk management and decision making. This supports business continuity and is important to support the Company's long-term business goals and outcomes. 

 

Stakeholder management

To operate the relationship with other third parties such as suppliers including disclosure of information to data processors for the provision of services to the Company

The Company also has a legitimate interest in ensuring that it can engage with suppliers effectively and that suppliers can access the information they need to provide the service for which they have been engaged.

Effective communication with and engagement of suppliers is important for business continuity and improvement.

This supports the Company's achievement of its immediate and long-term goals and outcomes.

 

Communication and public relations

Where relevant for publishing appropriate internal or external communications or publicity material including via social media in appropriate circumstances;

This processing is necessary for the purpose of the legitimate interests pursued by the Company.

The Company has a legitimate interest in communicating effectively with its workforce, guests and other stakeholders as well as carrying out appropriate business development activity.

That includes giving information to the workforce or, where appropriate guests, other stakeholders or the wider market about relevant business activities, plans or projects. That can include making reference to those of our staff who are involved in the relevant matters being communicated above.

Effective employee, guest and other stakeholder communication and engagement contributes to attraction and retention of high calibre employees, development and retention of guest relationships, strong business performance, business growth and maintaining and enhancing the Company's reputation. This supports the Company's immediate and long-term business goals and outcomes. 

 

Complaints, claims and litigation

To enforce our legal rights and obligations, and for any purposes in connection with any complaint or legal claim made by, against or otherwise involving you

This processing is necessary for the purpose of the legitimate interests pursued by the Company.

The Company has a legitimate interest in protecting its organisation from breaches of legal obligations owed to it and defending itself against litigation. This is needed to ensure that the Company's legal rights and interests are protected appropriately, to protect the Company's reputation and to protect the Company from other damage or loss.

This is important to protect the business of the Company and ensure its continued success and growth. This supports the Company's immediate and long-term business goals and outcomes.

 

Legal or regulatory disclosures

To comply with lawful requests by public authorities (including without limitation to meet national security or law enforcement requirements), discovery requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities (including without limitation data protection, tax and employment), whether within or outside your country;

This processing is necessary for the compliance with legal obligations to which the Company is subject where there is a legal obligation to disclose information or a court or other legal order to provide information is in place.

Where not legally required, processing is necessary for the purpose of the legitimate interests pursued by the Company.

The Company has a legitimate interest in co-operating with relevant authorities, government bodies or regulators for the provision of information where appropriate. The Company wishes to maintain its reputation as a good corporate citizen and to act ethically and appropriately in all the countries in which it does business. 

This encourages compliance and high standards of business practice and protects the Company's reputation. This supports the Company's immediate and long-term business goals and outcomes.

 

Analytics & Monitoring

To understand how you and others use our services, for analytics and modelling and to create business intelligence and insights and to understand economic trends

Merlin has a legitimate interest in using analytics to enhance and improve guest experience. Merlin uses cookies to monitor interaction between guests and its website, more information is available here.

APPENDIX 2 - GLOSSARY

Consumer: means an individual who will, who has, or who is purchasing tickets for an Attraction or using Merlin's websites, goods or services, or participating in a prize draw/competition or Merlin experience.

Data Controller: means a natural or legal person which determines the means and purposes of processing of personal data.

Data Subject: means an individual whom the personal data is about.  

EEA: means the European Economic Area.

GDPR: means the General Data Protection Regulation, which comes into force on 25 May 2018 and replaces the previous Data Protection Directive 95/46/EC.

ICO: the Information Commissioner's Office regulates the processing of personal data by all organisations within the UK.

Legitimate Interests: this is a ground which can be used by organisations as a lawful basis of processing, for example where personal data is used in ways that could reasonably be expected, or there is a compelling reason for the processing.

Member States: means those countries which are part of the European Union.

Privacy Shield: means a framework which has been adopted to protect the rights of those individuals whose data has been transferred to the US.

Profiling: means to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an entertainment context, such as how likely you are to attend a certain event that we host.

Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.

Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.

 

LEGOLAND Holidays Privacy Policy

We (Holiday Extras Shortbreaks Limited) will protect and respect your privacy and personal information. This document explains how and why we collect and use it.

This policy is for customers using any of our sites or services on any of the brands operated by Holiday Extras Shortbreaks Limited on behalf of our partners.

Holiday Extras Shortbreaks Limited operates the following website(s) on behalf of Merlin Entertainments PLC:

  • Altontowersholidays.com
  • Chessingtonholidays.co.uk
  • Legolandholidays.co.uk
  • Thorpebreaks.co.uk
  • Warwickcastlebreaks.com

How we use your personal information

To provide you with the products and services booked with us, to fulfil a contract
Personal & contact details (name, age, address, email, telephone number)
  • Once you have a booking we need to know the booking is yours and send you relevant information about your booking, like an email or postal confirmation.
  • We need to share some of your details with our suppliers, like a name and email address for your hotel stay.
Payment information
  • To take payment for any bookings made and to issue any refunds.
Booking information
  • We may be contractually obliged to share some of your booking information with our partners. Your personal information is not included for this purpose.
Contact history (what you have said to us)
  • To provide you with customer service and any support and information you may need.
Legitimate interests: we may use and process some of your personal information where we have sensible and legitimate business grounds for doing so.
Personal & contact details (name, age, address, email, telephone number)
  • To detect and prevent fraud against you or us.
  • Customer research. We use online tools to help us learn more about you so we can tailor our ads. One example is Facebook audience, which helps us learn about our customers' interests and online behaviours.
  • We ask for your reviews on our customer experience and our products so we can improve them. We may use a third party tool to do this.
  • If you are a customer who has booked with us before we will share similar products with you unless you have told us not to.
  • If you leave our payment page we may email you to help you to pick up where you left off.
  • To help you manage your personal information, bookings and make paying easier we may create an online account for you.
  • We may disclose your name, email address and telephone number to Merlin Entertainments if you are enquiring about visiting for the day & Theme Park only enquiries which Holiday Extras Limited are unable to deal with.
Online information (IP address and device)
  • To detect and prevent fraud against you or us.
  • To improve our website.
  • To support with customer enquiries.
  • To protect our sites.
Payment information
  • To take payment for any bookings made and to issue any refunds.
  • We will keep your payment details in a tokenised form. This is secure and means we do not store your card details in a way that can be reused.
Booking information
  • To detect and prevent fraud against you or us.
  • We often analyse our historical booking data to learn what products our customers like best.
Contact history (what you have said to us)
  • We record our communications with our customers and use them to allow us and our partners to improve our customer experience.
  • One example is listening back to telephone recordings for training purposes.
  • We may share these recordings with our partners to help improve guest experience.
When we have your consent
Personal & contact details (name, address, email, telephone number, age)
  • To contact you with information by telephone, email, SMS or post about our products, services and special offers.
  • To sign you up to any of our competitions or surveys.
  • To keep you updated about our products, services and special offers on social media. We use Facebook, Twitter and other social media channels.
  • To invite you along to customer research days where we learn about how you interact with our products.
  • We may share your details with Merlin Entertainments PLC for the purposes of postal, email and display advertising of products similar to your original booking.
Contact history (what you have said to us)
  • To sign you up to any of our competitions or surveys.
  • To keep you updated on social media, we use Facebook, and Twitter and other social media channels.
We need to comply with a legal requirement or regulation
Personal & contact details (name, address, email, telephone number, age)
  • To detect and prevent fraud against you or us.
  • To defend any legal claims.
Payment information
  • To detect and prevent fraud against you or us.
Booking information
  • To defend any legal claims.

We do not knowingly collect any personal information from children under the age of 16. If you are aged under 16 please ask your parent or guardian's permission before you provide any personal information to us.

Automated decisions

As part of processing of your personal data, the following decision(s) may be made automatically:

For fraud detection and prevention our systems might automatically decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have, on purpose, hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us.

Sharing your information

First things first; we do not nor plan to ever sell your personal information. We only use and share personal information for the reasons it was originally collected, and for reasons which are directly related to one of our products or services.

We will share your personal data with our partners in order to provide you with the products you have booked with us. For example, we will share your name and booking details with a hotel. We only share what is necessary.

We may share your information with third party service providers who provide services or functions on our behalf. For example, credit card processing, customer service, business analytics, fraud prevention, advertising and to serve you with advertising that is tailored to your interests. But don't worry, these third party service providers are required to protect your personal information in the same way as we do and are not allowed to share or use information for their own purposes.

We may also share your information in the following situations:

  • Where you have specifically asked or agreed for us to do so
  • Where we have your permission to share your email address with partners we work with for marketing
  • If it is required in order to respond to your request
  • If it is required by law or regulation

 

We work with selected partners who use our websites to service bookings. You may find you were directed to our websites from one of these partners, for example a theme park. In these situations we may share booking information with that partner. Often with these partnerships where you are directed from one website to another there are two privacy policies. We make ours visible throughout your booking journey so it is easy to know when we are collecting any of your personal data.

We will share your information for limited reasons; for example we may use a service provider to send you a text message or email about your booking, we will share your contact details, but only to facilitate communications to which you have consented.

Who is responsible for your data

We work closely with Merlin Entertainments and process personal information on their behalf. When you make a booking with us you will be a customer of Merlin and Holiday Extras. We both have our own Privacy Policy, ours you are reading right now and Merlins privacy policies are available below.

Merlin Entertainments https://www.merlinentertainments.biz/privacy-policy
Alton Towers https://www.altontowers.com/privacy-policy/
Chessington World of Adventures https://www.chessington.com/misc/privacy.aspx
LEGOLAND Windsor https://www.legoland.co.uk/about-us/privacy-policy/
THORPE PARK https://www.thorpepark.com/privacy-policy
Warwick Castle https://www.warwick-castle.com/misc/privacy.aspx

How we keep your data safe

We will take the necessary measures to protect your personal information against unauthorised or unlawful processing and against accidental loss, destruction or damage. When you provide your personal information through our website, it is transmitted across the internet securely using high-grade encryption.

We have high security standards in order to protect your payment card details and are a "PCI DSS" (The Payment Card Industry Data Security Standard) approved organisation.

If we need to disclose your personal information to other businesses, we require that business to have appropriate measures in place to protect your personal information.

Your personal information will be held in our systems, located on our premises or those of an appointed third party. We may also allow access to your information by other third parties who act for us for the purposes described in this Policy or for other purposes approved by you.

How long do we keep your personal information for?

We'll hold on to your information for as long as you have your account if you have one. We will need to store your information if you have an upcoming booking as we need be able to provide the services to you and support you with any enquiries if you contact our customer team.

In most cases, we will keep your personal information for seven (7) years following your last trip unless we are required to keep it for longer due to business, legal or regulatory requirements.

If, having registered for any of our services, you do not use them for a time we may contact you to check you're still happy to receive communications from us or remove your personal information.

Even if we delete your personal information it may persist on backup or archival media for legal, tax or regulatory purposes.

Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For more information on how Holiday Extras Shortbreaks use cookies please read our Cookie Policy.

Your personal data rights

You are entitled to see the personal information we hold about you. We will provide this information free of charge but we may charge a fee to cover our costs if the request is extensive.

Please email customercare@holidayextras.com with the subject “My data request†including the following required information:

 

  • Your full name; a description of the information that you are requesting (such as parking booking), including a date range; all of your email addresses (past and present) used to book with Holiday Extras; and
  • Attach to the email a copy of a current photo ID (e.g. passport photo page).

 

From the date that we receive all of the required information, we aim to complete your request within one month. We will try to do it quicker but we cannot guarantee that this will be the case.

Correction rights

You are entitled to correct personal information we hold about you that is inaccurate. Please contact us if you would like to update your details.

Deletion rights/right to be forgotten

In certain circumstances you are entitled to ask us to delete the personal information we hold about you.

If you want us to delete your data, please read our FAQs or contact us.

Portability rights

In certain circumstances you are entitled to request that we move, copy or transfer your personal information.

Objection and restriction rights

In certain circumstances you are entitled to object to or restrict Holiday Extras processing your personal information.

You can update your communication preference when you make a booking and can unsubscribe at any time via the unsubscribe links at the bottom of all marketing emails.

To make enquiries or exercise any of your rights please contact our Customer team, details found in the contact section below.

You can also contact Information Commissioner's Office (ICO) which is responsible for making sure that organisations comply with the law on handling personal information.

Contact us

We process personal data in connection with this Privacy Policy on behalf of Merlin Entertainments. For the purpose of the the UK Data Protection Legislation and (for so long as and to the extent that the law of the European Union has legal effect in the UK) General Data Protection Regulation ((EU) 2016/679), Holiday Extras is considered to be the data processor and Merlin Entertainments is considered to be the data controller.

If you have any questions or comments about our Privacy Policy, or wish to contact us to exercise any of your rights please contact:

Customer Experience
Holiday Extras
Ashford Road
Newingreen
Hythe
Kent
CT21 4JF
or customercare@holidayextras.com

This Privacy Policy shall be governed and construed in all respects in accordance with the laws of England and Wales.

Changes to our privacy policy

We may change this page from time to time, to reflect how we are processing your information. We only use your personal information for the purposes listed. If we need to use it for something else, we'll let you know.

Any changes we may make to our Privacy Policy in the future will be posted on this page.

v2.0 Last updated November 2021.

BOOK A SHORT BREAK

1 Check-In & Check-Out
2 Guests
2
Adults
2
Children
years old
or
Buy Tickets Only
Health