Privacy policy

Through its commitment to its core values, Merlin Entertainments Limited "Merlin" who is the operator of this attraction, acknowledge and support an individual's right to privacy and use appropriate measures and practices to ensure personal data is protected. As a global entertainments service provider, which operates more than 100 attractions and 20 hotels and resort villages across 30 countries, Merlin fulfils many roles as a trusted employer, services supplier, partner and customer. The registered office for Merlin Entertainments is Arbor Building, 16th Floor, 255 Blackfriars Road, London, SE1 9AX, United Kingdom.

 

A list of our attractions and group companies can be found on the Merlin corporate website. This Privacy Notice describes how Merlin and its Affiliates (companies that are directly or indirectly controlled or owned by Merlin) collect, use and disclose personal information. Please read this Privacy Notice carefully.

 

It provides important information about how we use personal data and explains your legal rights. This Privacy Notice is not intended to override the terms of any contract that you have with us (for example, Wi-Fi terms and conditions or annual pass terms) or any rights you might have available under applicable data protection laws. We may make changes to this Privacy Notice from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will strive to make sure that you are aware of any material changes by sending an email message to the email address you most recently provided to us or by posting a notice on each relevant website so that you are aware of the impact to the data processing activities before you continue to engage.

 

We encourage you to regularly check back and review this so that you will always know what information we collect, how we use it, and who we share it with. The entity in the Merlin Group which was originally responsible for collecting information about you will be the Data Controller.

 

Other entities in the Merlin Group may also be Data Controllers where they control the use or processing of such data. To exercise your data subject rights or to contact Merlin, please refer to the relevant sections found later in this Notice .

 

 

When do We Collect Your Data

 

We collect information directly from you when:

 

you visit and navigate our websites

 

you complete forms on our website to book visits to our attractions

 

you complete surveys on our website

 

subscribe to a service

 

opt-in to receiving marketing communications

 

purchase tickets or passes

 

make a booking by telephone

 

visit our attractions (CCTV)

 

login to the Wi-Fi at our attractions

 

make a hotel booking

 

make a complaint or provide feedback

 

or request further information.

 

We may receive some personal information from third parties, such as:

 

family members or legal guardians

 

promotional partners

 

payment providers

 

third party merchants etc.

 

We never knowingly collect personal information from children under 13 for marketing purposes without parental consent, as required by law.

 

 

What Personal Information We Collect

 

We may collect contact information to communicate with you about our services and your bookings. This may include your name, postal address, telephone number, email address, date of birth or social media profile name. We collect information directly from you when you complete surveys or forms on our website to book visits to our attractions, subscribe to a service, purchase tickets, make a hotel booking or requesting further information.

 

Payment Information

 

When you submit payment details for any of our services we may receive financial information about you or the company on behalf of which you are making the payment. This transaction data may include: bank name, bank address, account number, sort code, security code, card expiration date.

 

Purchasing & Marketing Information

 

We collect data regarding your shopping and visit history as well as your marketing preferences and interests. This includes the collection of contact details such as your name, address, date of birth, telephone number and email address, engagement details including your purchase history and attraction visit history, your marketing preferences including interests / marketing list assignments, record of permissions or marketing objections, website data, device data including IP addresses and details about your browsing history, browser type, and session frequency and cookies.

 

Where we require explicit opt-in consent for direct marketing in accordance with the Privacy and Electronic Communications Regulations we will ask for your consent. Otherwise, for non-electronic marketing or where we can rely on the soft opt-in exemption under the Privacy and Electronic Communications Regulations, we will be relying on our Legitimate Interests for the purposes of GDPR.

 

You have a right to stop receiving direct marketing at any time - you can do this by following the opt-out links in electronic communications (such as emails), or by exercising your right to erasure as detailed later in this Notice.

 

1 / 9

 

We also use your personal data for customising or personalising advertisements, offers and content made available to you based on your visits to and/or usage of our attraction websites or other mobile applications, platforms or services, and analysing the performance of those advertisements, offers and content, as well as your interaction with them. We may also recommend content to you based on information we have collected about you and your viewing habits. This constitutes 'profiling', and more information is provided later in this Notice about this.

 

Profiling and Automated Processing

 

'Automated Decision Making' refers to a decision which is taken through the automated processing of your personal data alone - this means processing using, for example, software code or an algorithm, which does not involve any human intervention. We do not carry out any automated decision making, however we do carry out profiling using automated processing to tailor marketing materials for a specific customer.

 

Where we have permissions to send a consumer marketing updates, we may use profiling to ensure that marketing materials are tailored to your preferences and to what we think you will be interested in. In certain circumstances it will be possible to infer certain information about you from the result of profiling, which could include special categories of personal data, but we will not do this unless we have obtained your explicit consent to do so.

 

We may use software and tools containing Artificial Intelligence (AI), for business efficiency and analytical purposes. AI may be used:

 

To analyse emails/content you have provided to Merlin such as suggesting responses we provide to guests and to help with managing the content internally such as providing a summary of an email. Where used, all responses are viewable by Merlin prior to being issued and personal data is only used in line with the original purposes for which it was provided and/or processed in accordance with this notice

 

To direct your support requests via the initial engagement with a support chatbot - we will inform you when you are engaging with a chatbot before communication commences.

 

By our vetted supply chain in their product and service offerings

 

To provide insights into your personal preferences and may use analytics tools to analyse the effectiveness of advertisements

 

To automate processes within our attractions to improve guest experience

 

For analysing and processing data to improve efficiencies within processes

 

To analyse data in relation to business performance and strategic initiatives

 

Where you have agreed to take part in a meeting, either at our offices or remotely, e.g. using Teams. AI may be used to help with summarising and analysing the meeting content and enabling real-time translation.

 

If inputting any personal data (where necessary and lawful to do so) in connection with such AI tools Merlin will ensure compliance with data protection legislation and regulatory requirements.

 

System and Application Information

 

We collect personal data when you visit any of our websites or use our applications including IP addresses, browser data, location, traffic data, social media behaviour and user patterns, recordings of calls to our service centres, email communications, online chats, comments and reviews collected through surveys or posted on our social media platforms.

 

Physical security records:

 

CCTV - will be used for safety and security monitoring of staff, company property and assets.

 

Bodycam footage will be used for safety and security monitoring of staff, company property and assets.

 

Biometric data (facial recognition) will be collected to identify the correct individual in ride photographs or for security purposes on some sites

 

Photographs: images will be used on passes to identify individual owners and for promotional means in some instances, photography services are in place at some of our attractions and rides

 

Automatic Number Plate Recognition (ANPR): details of vehicle registration numbers will be collected from some sites

 

Some of the personal information that we collect about you or which you provide to us about you and your family may be classified as special category data. We will only process special category data where we have an additional lawful basis for processing.

 

 

Why we collect your personal information

 

We may collect, use and store your personal information for the following reasons:

 

provide you with the products, services or information you request from Merlin, and for related purposes such as delivering customer service, handling queries and complaints, establishing and maintaining contractual relations, complying with industry and regulatory standards;

 

to operate electronic payment processes;

 

based on your choices and previous behaviours, deliver marketing communications, offers and newsletters to you;

 

to show you advertising on social media that is tailored to you

 

to profile potential audiences on social media and online platforms;

 

to monitor entry onto our sites and ensure effective management of the health and safety of our staff, guests and facilities;

 

support our everyday business purposes, such as for account management, quality control, website administration, business continuity and disaster recovery, security and fraud prevention;

 

corporate and business forecasting, reporting, analysis, and insight, to include business development requirements, management and operational reporting, in accordance with business growth, operational activities, and the provision of our services to clients;

 

considering and implementing mergers, acquisitions, reorganizations, bankruptcies, and other business transactions; business management to include accounting, auditing, insurance and compliance assessments;

understand how you and others use our services, for analytics and modelling and to create business intelligence and insights and to understand economic trends and develop better experiences for our guests;

 

generate anonymised or aggregated datasets, which are used for product development;

 

 

2 / 9

 

governance, reporting and legal compliance;

 

establishing, exercising or defending our legal rights; and otherwise, for the lawful operation of our business; CCTV monitoring and other security of company facilities; ensuring adequate insurance coverage for our business;

business management to include accounting and auditing;

 

security threat detection and monitoring.

 

 

Legal Basis for Personal Information Use

 

We need to have a legal basis for using your personal information for the processing set out in this privacy notice as set out below:

 

  1. our use of your personal information is necessary for the performance of our obligations under our contract with you;

 

  1. or our use of your personal information is necessary for complying with our legal obligations

 

  1. or our use of your personal information is necessary to protect an individual’s vital interests (for example if there is a danger to life);

 

  1. or where neither (a) nor (b) apply, it is necessary for the purposes of our legitimate interests or the legitimate interests of a third party (for example, to ensure a safe working environment, to ensure the reliability of our employees, workers and contractors or to maintain adequate personnel records).

 

  1. Where the processing is necessary to protect your vital interests in an emergency situation. We will also collect information about you indirectly from other sources where we believe this is necessary to help ensure the security of our attractions. These other sources may include public registers and social media platforms.

 

 

Children's Personal Information

 

We recognise our responsibility to provide suitable privacy protection to personal information we collect from children under 13. Some of the services we offer or features of our site are not aimed to be used by children and for those we do not knowingly collect personal information from children under 13.

 

When we do intend to collect personal information about children under 13, we put in place a number of measure to protect that child’s privacy such as:

 

notifying parents and/or guardians about the processing and obtaining consent where necessary ensuring any data collected is kept to a minimum

where permitted by law, allowing parents/legal guardians the right to request the personal information collected about their child and ask for such to be amended or deleted.

 

 

Disclosure of Personal Information

 

Your personal data may be made available to Merlin employees, temporary staff, workers and contractors, and with customers, agencies, investors and suppliers in the course of providing our services. Your personal data may be shared with any company that is a member of our group, where we have a lawful basis upon which to do so for example internal administrative purposes, corporate strategy, auditing and monitoring. We may also share your personal information with our group companies where they provide products and services to us, such as information technology systems, health and safety monitoring, security services and human resources services. Access to your personal information is limited to those employees who need to know the personal data and any international data transfers are managed by Merlin's Intragroup Data Transfer Agreement.

 

We may share your personal information with the following categories of third parties:

 

companies that provide products and services to us, such as:

 

investors;

 

insurance companies, including those providing medical insurance and group income protection;

 

legal and regulatory authorities, accountants, auditors, lawyers and other outside professional advisors.

 

information technology systems suppliers and support, including email archiving, telecommunication suppliers, back-up and disaster recovery and cyber security services; psychometric testing providers and other outsourcing providers, such as off-site storage providers and cloud services providers. Some examples of the service providers that Merlin use are outlined below:

Customer Relationship Management providers, in particular Salesforce, Experian, Accesso, Avius Insight, Zendesk, Venue Verdict, Sprint Education and Facebook.

 

our app team, Attractions.io

 

our website development agencies, Isobar, CTI Digital and Headland

 

our PR agency, The Academy PR

 

our printing agency, Adare International

 

our ride photography partner POMVOM

 

We will also disclose your personal information to third parties:

 

where it is in our legitimate interests to do so to run, grow and develop our business, for example:

 

if we sell or buy any business or assets, we may disclose your personal information to the prospective seller or buyer of such business or assets;

 

if Merlin or substantially all of its assets are acquired by a third party, in which case personal information held by Merlin will be one of the transferred assets;

 

if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;

 

 

3 / 9

 

to enforce our contract with you, to respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity; or

 

to protect the rights, property or safety of Merlin, our employees, workers and contractors, customers, suppliers or other persons.

 

Any third parties with whom we share your personal information are limited (by law and by contract) in their ability to use your personal information for the specific purposes identified by us. We will always ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this privacy notice and applicable laws.

 

We are a global company and may transfer the personal data we collect about you internationally to our group companies or third parties, so long as there is a lawful basis for doing. For transfers between Merlin group entities an intragroup agreement is in place. In certain limited circumstances we may seek your explicit consent to send your personal data. We may also share your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. Before sending your personal data internationally, we will ensure that appropriate safeguards are in place to protect your data and that all transfers are carried out in compliance with your rights and interests. In particular we will either:

 

only transfer your personal data to countries which are recognised as providing an adequate level of legal protection in accordance with Article 45 of the GDPR; or

 

ensure that transfers outside the European Union are subject to an appropriate legal safeguard - for example, the EU Model Clauses pursuant to Article 46(2) of the GDPR

 

 

Your Rights

 

The following rights can be exercised directly or, in certain cases, through an authorized agent and are determined by local legislation as set out below.

 

To exercise your data subject rights, including Subject Access Requests, please completethe request form.

 

For further information on what data subject rights are offered, please refer to the below:

 

RIGHT

WHAT THIS MEANS

 

 

You can ask us to:

 

 

confirm whether we are processing your personal data;

 

 

give you a copy of that data;

 

Access

provide you with other information about your personal data such as what data we have, what we use it

 

for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for,

 

 

 

 

what rights you have, how you can make a complaint, where we got your data from and whether we have

 

 

carried out automated decision making or profiling, to the extent that information has not already been

 

 

provided to you in this notice.

 

 

 

 

Rectification

You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before

 

rectifying it.

 

 

 

 

 

 

 

You can ask us to erase your personal data, but only where:

 

 

it is no longer needed for the purposes for which it was collected; or

 

 

you have withdrawn your consent (where the data processing was based on consent); or

 

 

it follows a successful right to object (see 'Objection' below); or

 

 

it has been processed unlawfully; or

 

Erasure/Right to be forgotten

it is necessary to comply with a legal obligation which Merlin is subject to.

 

 

 

 

We are not required to comply with your request to erase your personal data if the processing of your personal

 

 

data is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal

 

 

claims, in relation to the freedom of expression or for archiving purposes in the public interest, scientific or

 

 

historical research purposes or statistical purposes. In the context of marketing, please note that we will maintain a

 

 

suppression list if you have opted out from receiving marketing content to ensure that you do not receive any

 

 

further communications.

 

 

 

 

 

You can ask us to restrict (i.e. keep but not use) your personal data, but only where:

 

 

its accuracy is contested (see 'Rectification' above), to allow us to verify its accuracy; or

 

 

the processing is unlawful, but you do not want it erased; or

 

 

it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise

 

 

or defend legal claims; or

 

Restriction

you have exercised the right to object, and verification of overriding grounds is pending.

 

 

We can continue to use your personal data following a request for restriction, where:

 

 

we have your consent; or

 

 

to establish, exercise or defend legal claims; or

 

 

to protect the rights of another natural or legal person.

 

 

 

 

 

You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or

 

Portability

you can ask to have it 'ported' directly to another Data Controller, but in each case only where: the processing is

 

based on your consent or the performance of a contract with you; and the processing is carried out by automated

 

 

 

 

means.

 

 

 

 

 

4 / 9

 

 

You can object to any processing of your personal data which has our 'Legitimate Interests' as its legal basis (see

 

 

Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our Legitimate

 

 

Interests.

 

Objection

Once you have objected, we have an opportunity to demonstrate that we have compelling Legitimate Interests

 

 

 

 

which override your rights, however this does not apply as far as the objections refers to the use of personal data

 

 

for direct marketing purposes.

 

 

 

 

 

Please note the following if you do wish to exercise these rights:

 

We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.

 

We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded or excessive, in which case we will charge a reasonable amount in the circumstances.

 

We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.

 

Local laws may provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.

 

You also have the right to complain to your supervisory authority (further details of which are set out in our Complaints section below)

 

 

Retention of Personal Information

 

We retain your personal data for as long as needed, or permitted, based on the reason we obtained it (consistent with applicable law and to support legitimate business purposes). When deciding how long to keep your personal data, we consider whether we are subject to any legal obligations (e.g., any laws that require us to keep records for a certain period before we can delete them) or whether we have taken any legal positions (e.g., issued any legal holds or otherwise need to preserve the information). Rather than delete your data, we may also deidentify it by removing identifying details. If we deidentify the data, we will not attempt to reidentify it.

 

 

Security

 

Merlin has implemented safeguards that are intended to protect the confidentiality of your personal information and we are a "PCI DSS" (The Payment Card Industry Data Security Standard) approved organization.

 

You may, from time to time, access links to or other websites operated by third parties (e.g. competition providers, industry news sources, sales portal, feedback surveys etc). Please note that this privacy notice only applies to the personal information that we collect from or about you and we cannot be responsible for personal information collected and stored by third parties. Third party websites have their own terms and conditions and privacy policies, and you should read these carefully before you submit any personal information to these websites. We do not endorse or otherwise accept any responsibility or liability for the content of such third-party websites or third-party terms and conditions or policies.

 

 

Cookies

 

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer. Cookies contain information that is transferred to your computer's hard drive.

 

We use the following cookies:

 

Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.

 

Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

 

Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

 

Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

 

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies. These cookies are likely to be analytical/performance cookies or targeting cookies. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site. You can opt-out of optional cookies which you can exercise by using the consent banner when you first visit one of our attraction's webpages.

 

 

Contact and complaints

 

If you have any queries or complaints about our collection, use or storage of your personal information, or if you wish to exercise any of your rights, please contact our Data Protection Team - email Data.Protection@merlinentertainments.biz or write to:

 

Data Protection Officer

 

Merlin Entertainments

 

Arbor Building, 16th Floor,

 

5 / 9

 

255 Blackfriars Road,

 

London,

 

SE1 9AX,

 

United Kingdom

 

We will investigate and attempt to resolve any such complaint or dispute regarding the use or disclosure of your personal information.

 

You also have a right to lodge a complaint with your national data protection supervisory authority at any time.

 

In the UK, the supervisory authority for data protection is the ICO (https://ico.org.uk). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.

 

For any other queries or complaints not relating to data protection, please refer to the attraction's "Contact Us" link at the bottom of this page.

 

 

Information on Joint Controllership

 

In certain specific instances, as set out below, this attraction acts as a Joint Controller of your personal data with Merlin Attractions Operations Ltd (hereinafter "MAOL"), which is also part of the Merlin Entertainments Limited Group and whose registered office is at Arbor Building, 16th Floor, 255 Blackfriars Road, London, SE1 9AX, United Kingdom (hereinafter, for convenience, collectively referred to as the "Joint Controllers").

 

As of the date of publication of this privacy notice, this attraction operates under joint controllership with MAOL its Customer Relationship Management (CRM) platform. For further information on this relationship, please refer to the privacy notice on the Merlin corporate website.

 

 

APPENDIX 1 - Glossary

 

Consumer: means an individual who will, who has, or who is purchasing tickets for an Attraction or using Merlin's websites, goods or services, or participating in a prize draw/competition or Merlin experience.

 

Data Controller: means a natural or legal person which determines the means and purposes of processing of personal data.

 

Data Subject: means an individual whom the personal data is about.

 

EEA: means the European Economic Area.

 

GDPR: means the General Data Protection Regulation 2018.

 

ICO: the Information Commissioner's Office regulates the processing of personal data by all organisations within the UK.

 

Legitimate Interests: this is a ground which can be used by organisations as a lawful basis of processing, for example where personal data is used in ways that could reasonably be expected, or there is a compelling reason for the processing.

 

Member States: means those countries which are part of the European Union.

 

Data Privacy Framework: means a framework which has been adopted to protect the rights of those individuals whose data has been transferred to the US.

 

Profiling: means to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an entertainment context, such as how likely you are to attend a certain event that we host.

 

Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.

 

Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.

 

 

APPENDIX 2 - Details of Processing of Guest Data

 

At Merlin Entertainments, depending on the attraction we will rely upon the following lawful basis for our data processing.

 

Purpose for processing

The lawful basis we rely on

 

 

 

 

Service Delivery

Merlin will process your personal data in accordance with its legal obligations and legitimate interests to

 

To provide guests with the products, services or

deliver its services to you.

 

 

 

information you request from Merlin, and for related

 

 

purposes such as delivering customer service, handling

 

 

queries and complaints, establishing and maintaining

 

 

contractual relations.

 

 

For some of our attractions, we also offer a Premium

 

 

and VIP Experience package. For these packages, we

 

 

may need to contact you to obtain additional

 

 

information to provide the best experience for your visit.

 

 

This may include whether your visit is for a special

 

 

occasion such as a birthday, personal requirements

 

 

such as dietary or accessibility needs and if you have

 

 

any special requests such as to bring along props or

 

 

banners.

 

 

 

 

 

 

 

 

 

6 / 9

 

Operating Competitions, Prize Draws and other

It is necessary for Merlin to use your personal data to perform our obligations in accordance with any

 

Promotions

contract that we may have with you or where it is in our legitimate interest to use your personal data to

 

To administer competitions and rewards to our guests

enable us to administer a Merlin competition or promotion effectively and fairly in line with our own

 

we may use our website and social media accounts

business practices.

 

 

 

 

 

 

 

 

Payment Services

We have legal and regulatory obligations to ensure that we process certain personal data when

 

 

 

 

facilitating payment transactions.

 

To operate electronic payment processes

 

 

 

 

 

 

 

Photography and Film

The company also has a legitimate interest in promoting and marketing its brand, whether to prospective

 

Some attractions offer photography services during

employees or prospective customers, both of which support the Company's immediate and long-term

 

business goals and outcomes.

 

your visit.

 

 

 

Where relevant for publishing appropriate internal or

Guests have the option to purchase their own photographs at certain attractions. Notices are in place

 

where photography services are in operation.

 

external communications or publicity or marketing

 

 

 

material including via social media in appropriate

 

 

circumstances;

 

 

 

 

 

 

 

Deliver marketing communications by email, offers and

Merlin will rely upon your explicit consent to send you marketing material. All of Merlin’s marketing

 

newsletters to you

correspondence has the option for you to ‘unsubscribe’ from our communications, at any time.

 

To deliver marketing communications, offers and

 

 

newsletters to you .

For our German attractions, in accordance with Section 7, Paragraph 2 of the Act Against Unfair

 

 

 

 

 

 

 

 

Competition)

 

 

 

 

 

 

To deliver marketing to guests and prospective leads

All Facebook users have the opportunity to set their preferences for their marketing options.

 

on social media

Where we use your personal data to display online personal advertising to you, we rely on the consent or

 

 

 

 

 

Merlin and its third party partners may show you

our legitimate interests to promote our website and services and/or attractions to you.

 

advertising on social media, that is tailored to you.

We will only share your Personal Data with the third-party providers of any social media platform so that

 

 

 

 

 

 

 

 

we can advertise our available services to you when you use those platforms only where you have

 

If you are a user of social media, Merlin may ask the

provided your consent or where it is otherwise in our legitimate interests to do so in order to promote

 

Merlin services.

 

third-party providers of those platforms to find other

 

 

 

registered users of their services who share similar

 

 

interests and characteristics to you, which will be based

 

 

on information that the third party holds about you and

 

 

other registered users of its platform. This is known as

 

 

advertising to a ‘lookalike’ audience advertising

 

 

because Merlin are seeking to advertise to other

 

 

people who ‘look like’ you. This advertising method is

 

 

based on data that you as user of social media have

 

 

provided to the platform independently and is also

 

 

dependent upon the privacy settings you have

 

 

associated to your social media account.

 

 

(for more information click here)

 

 

 

 

 

 

 

Safety, security and preventing and detecting

Some of this processing is necessary for the compliance with legal obligations to which the Company is

 

inappropriate or unlawful activities

subject including health and safety laws, our duty of care and regulatory laws to which the Company is

 

Safety and security including the use of CCTV at our

subject.

 

 

 

attractions; satisfying the Company's regulatory or otherAdditional processing is necessary for the purpose of the legitimate interests pursued by the Company.

 

obligations preventing, detecting and investigating a

The Company has a legitimate interest in ensuring that its business, guests, employees and systems are

 

 

 

 

 

wide range of activities and behaviours and liaising with protected and that action is taken to mitigate risk and to prevent and detect matters which may put the

 

regulatory authorities

Company or its business or stakeholders at risk.

 

 

 

 

 

 

 

 

This includes carrying out risk assessments; detecting and preventing crimes or criminal activity or other

 

 

 

 

unlawful or unethical activity; ensuring that only appropriate employees are engaged in our business; and

 

 

 

 

ensuring compliance other legal or regulatory requirements placed upon us or related official guidance.

 

 

 

 

It also includes providing ways to report conduct or compliance issues and the appropriate consideration

 

 

 

 

and investigation of matters drawn to the Company's attention.

 

 

 

 

It also includes facilitating, controlling and restricting access to appropriate locations and systems. To be

 

 

 

 

effective these must be monitored and kept up to date. Effective business protection is important for

 

 

 

 

business continuity and to protect the Company's reputation. This supports the Company's immediate

 

 

 

 

and long-term business goals and outcomes.

 

 

 

 

 

 

ANPR Recognition

Depending on local laws, we will rely upon consent, performance of a contract or legitimate interest to

 

Some of our attractions have automatic number place

process this information.

 

recognition in place to monitor entry to our car park

 

 

facilities

 

 

 

 

 

 

 

 

 

 

 

 

 

7 / 9

 

Business information protection

This processing is necessary for the purpose of the legitimate interests pursued by the Company.

 

Protecting the private, confidential and proprietary

The Company has a legitimate interest in ensuring that its business, guests, employees and systems are

 

information of the Company, its employees, its guests

protected.

 

and third parties

This includes protecting our assets and the integrity of our systems; and detecting and preventing loss of

 

 

 

 

confidential and proprietary information.

 

 

This is also important to comply with our obligations to our guests and staff to protect their information.

 

 

Effective business protection is important for business continuity and to protect the Company's reputation.

 

 

This supports the Company's immediate and long-term business goals and outcomes.

 

 

 

 

Legal compliance

This processing is necessary for the compliance with legal obligations to which the Company is subject

 

Complying with laws and regulation applicable to the

including those laws set out.

 

 

 

Company

 

 

 

 

 

Commercial transactions or outsourcing

Some of this processing is necessary for the compliance with legal obligations to which the Company is

 

Planning, due diligence and implementation in relation

subject.

 

to a commercial transaction or service transfer

Additional processing is necessary for the purpose of the legitimate interests pursued by the Company.

 

involving the Company that impacts on your

The Company has a legitimate interest in managing its business operations in the most effective way.

 

relationship with the Company through our CRM

 

The Company needs to make decisions relating to the future of its business in order to preserve its

 

systems.

 

business operations or grow its business or maximise efficiency and effectiveness.

 

 

 

 

In the event that the Company makes a decision to outsource a function or acquire or transfer a business

 

 

or part of a business the Company and the third party with whom the Company is seeking to transact

 

 

each have a legitimate interest in ensuring that the services offered to guests are upheld throughout any

 

 

transition period.

 

 

Business change programmes and transformation support business continuity and improvement and

 

 

support the Company in achieving its long-term business goals and outcomes.

 

 

 

 

Business reporting

Some of this processing is necessary for the compliance with legal obligations to which the Company is

 

For business operational and reporting documentation

subject including statutory Company reporting obligations and corporate governance requirements.

 

such as accounting, auditing, insurance, compliance

Additional processing is necessary for the purpose of the legitimate interests pursued by the Company.

 

assessments, business development requirements,

The Company has a legitimate interest in managing its workforce and operating its business, ensuring

 

management and operational reporting, in accordance

 

appropriate governance and controls are in place and to measure and report on financial management

 

with business growth and operational activities

and business performance.

 

 

 

 

This includes appropriate preparation of management information reports; financial accounts and other

 

 

reports including in relation to HR metrics such as retention or attendance; reporting for internal and

 

 

external governance; and liaising with third parties such as investors or finance providers.

 

 

Effective management information and reporting is important for effective management of the business,

 

 

risk management and decision making. This supports business continuity and is important to support the

 

 

Company's long-term business goals and outcomes.

 

 

 

 

Stakeholder management

The Company also has a legitimate interest in ensuring that it can engage with suppliers effectively and

 

To operate the relationship with other third parties such

that suppliers can access the information they need to provide the service for which they have been

 

as suppliers including disclosure of information to data

engaged.

 

processors for the provision of services to the

Effective communication with and engagement of suppliers is important for business continuity and

 

Company

improvement.

 

 

This supports the Company's achievement of its immediate and long-term goals and outcomes.

 

 

 

 

Communication and public relations

This processing is necessary for the purpose of the legitimate interests pursued by the Company.

 

Where relevant for publishing appropriate internal or

The Company has a legitimate interest in communicating effectively with its workforce, guests and other

 

external communications or publicity material including

stakeholders as well as carrying out appropriate business development activity.

 

via social media in appropriate circumstances;

That includes giving information to the workforce or, where appropriate guests, other stakeholders or the

 

 

 

 

wider market about relevant business activities, plans or projects. That can include making reference to

 

 

those of our staff who are involved in the relevant matters being communicated above.

 

 

Effective employee, guest and other stakeholder communication and engagement contributes to

 

 

attraction and retention of high calibre employees, development and retention of guest relationships,

 

 

strong business performance, business growth and maintaining and enhancing the Company's

 

 

reputation. This supports the Company's immediate and long-term business goals and outcomes.

 

 

 

 

Complaints, claims and litigation

This processing is necessary for the purpose of the legitimate interests pursued by the Company.

 

To enforce our legal rights and obligations, and for any

The Company has a legitimate interest in protecting its organisation from breaches of legal obligations

 

purposes in connection with any complaint or legal

owed to it and defending itself against litigation. This is needed to ensure that the Company's legal rights

 

claim made by, against or otherwise involving you

and interests are protected appropriately, to protect the Company's reputation and to protect the

 

 

Company from other damage or loss.

 

 

This is important to protect the business of the Company and ensure its continued success and growth.

 

 

This supports the Company's immediate and long-term business goals and outcomes.

 

 

 

 

 

 

 

 

 

 

 

8 / 9

 

Legal or regulatory disclosures

This processing is necessary for the compliance with legal obligations to which the Company is subject

 

To comply with lawful requests by public authorities

where there is a legal obligation to disclose information or a court or other legal order to provide

 

information is in place.

 

(including without limitation to meet national security or

 

law enforcement requirements), discovery requests, or

Where not legally required, processing is necessary for the purpose of the legitimate interests pursued

 

where otherwise required or permitted by applicable

by the Company.

 

laws, court orders, government regulations, or

The Company has a legitimate interest in co-operating with relevant authorities, government bodies or

 

regulatory authorities (including without limitation data

 

regulators for the provision of information where appropriate. The Company wishes to maintain its

 

protection, tax and employment), whether within or

reputation as a good corporate citizen and to act ethically and appropriately in all the countries in which it

 

outside your country;

 

does business.

 

 

 

 

This encourages compliance and high standards of business practice and protects the Company's

 

 

reputation. This supports the Company's immediate and long-term business goals and outcomes.

 

 

 

 

Analytics & Monitoring

Merlin has a legitimate interest in using analytics to enhance and improve guest experience. Merlin uses

 

To understand how you and others use our services,

cookies to monitor interaction between guests and its website.

 

 

 

for analytics and modelling and to create business

 

 

intelligence and insights and to understand economic

 

 

trends

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

9 / 9