- Home
- Privacy policy
Privacy policy
Through its commitment to its core values, Merlin Entertainments Limited "Merlin" who is the operator of this attraction, acknowledge and support an individual's right to privacy and use appropriate measures and practices to ensure personal data is protected. As a global entertainments service provider, which operates more than 100 attractions and 20 hotels and resort villages across 30 countries, Merlin fulfils many roles as a trusted employer, services supplier, partner and customer. The registered office for Merlin Entertainments is Arbor Building, 16th Floor, 255 Blackfriars Road, London, SE1 9AX, United Kingdom.
A list of our attractions and group companies can be found on the Merlin corporate website. This Privacy Notice describes how Merlin and its Affiliates (companies that are directly or indirectly controlled or owned by Merlin) collect, use and disclose personal information. Please read this Privacy Notice carefully.
It provides important information about how we use personal data and explains your legal rights. This Privacy Notice is not intended to override the terms of any contract that you have with us (for example, Wi-Fi terms and conditions or annual pass terms) or any rights you might have available under applicable data protection laws. We may make changes to this Privacy Notice from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will strive to make sure that you are aware of any material changes by sending an email message to the email address you most recently provided to us or by posting a notice on each relevant website so that you are aware of the impact to the data processing activities before you continue to engage.
We encourage you to regularly check back and review this so that you will always know what information we collect, how we use it, and who we share it with. The entity in the Merlin Group which was originally responsible for collecting information about you will be the Data Controller.
Other entities in the Merlin Group may also be Data Controllers where they control the use or processing of such data. To exercise your data subject rights or to contact Merlin, please refer to the relevant sections found later in this Notice .
When do We Collect Your Data
We collect information directly from you when:
you visit and navigate our websites
you complete forms on our website to book visits to our attractions
you complete surveys on our website
subscribe to a service
opt-in to receiving marketing communications
purchase tickets or passes
make a booking by telephone
visit our attractions (CCTV)
login to the Wi-Fi at our attractions
make a hotel booking
make a complaint or provide feedback
or request further information.
We may receive some personal information from third parties, such as:
family members or legal guardians
promotional partners
payment providers
third party merchants etc.
We never knowingly collect personal information from children under 13 for marketing purposes without parental consent, as required by law.
What Personal Information We Collect
We may collect contact information to communicate with you about our services and your bookings. This may include your name, postal address, telephone number, email address, date of birth or social media profile name. We collect information directly from you when you complete surveys or forms on our website to book visits to our attractions, subscribe to a service, purchase tickets, make a hotel booking or requesting further information.
Payment Information
When you submit payment details for any of our services we may receive financial information about you or the company on behalf of which you are making the payment. This transaction data may include: bank name, bank address, account number, sort code, security code, card expiration date.
Purchasing & Marketing Information
We collect data regarding your shopping and visit history as well as your marketing preferences and interests. This includes the collection of contact details such as your name, address, date of birth, telephone number and email address, engagement details including your purchase history and attraction visit history, your marketing preferences including interests / marketing list assignments, record of permissions or marketing objections, website data, device data including IP addresses and details about your browsing history, browser type, and session frequency and cookies.
Where we require explicit opt-in consent for direct marketing in accordance with the Privacy and Electronic Communications Regulations we will ask for your consent. Otherwise, for non-electronic marketing or where we can rely on the soft opt-in exemption under the Privacy and Electronic Communications Regulations, we will be relying on our Legitimate Interests for the purposes of GDPR.
You have a right to stop receiving direct marketing at any time - you can do this by following the opt-out links in electronic communications (such as emails), or by exercising your right to erasure as detailed later in this Notice.
1 / 9
We also use your personal data for customising or personalising advertisements, offers and content made available to you based on your visits to and/or usage of our attraction websites or other mobile applications, platforms or services, and analysing the performance of those advertisements, offers and content, as well as your interaction with them. We may also recommend content to you based on information we have collected about you and your viewing habits. This constitutes 'profiling', and more information is provided later in this Notice about this.
Profiling and Automated Processing
'Automated Decision Making' refers to a decision which is taken through the automated processing of your personal data alone - this means processing using, for example, software code or an algorithm, which does not involve any human intervention. We do not carry out any automated decision making, however we do carry out profiling using automated processing to tailor marketing materials for a specific customer.
Where we have permissions to send a consumer marketing updates, we may use profiling to ensure that marketing materials are tailored to your preferences and to what we think you will be interested in. In certain circumstances it will be possible to infer certain information about you from the result of profiling, which could include special categories of personal data, but we will not do this unless we have obtained your explicit consent to do so.
We may use software and tools containing Artificial Intelligence (AI), for business efficiency and analytical purposes. AI may be used:
To analyse emails/content you have provided to Merlin such as suggesting responses we provide to guests and to help with managing the content internally such as providing a summary of an email. Where used, all responses are viewable by Merlin prior to being issued and personal data is only used in line with the original purposes for which it was provided and/or processed in accordance with this notice
To direct your support requests via the initial engagement with a support chatbot - we will inform you when you are engaging with a chatbot before communication commences.
By our vetted supply chain in their product and service offerings
To provide insights into your personal preferences and may use analytics tools to analyse the effectiveness of advertisements
To automate processes within our attractions to improve guest experience
For analysing and processing data to improve efficiencies within processes
To analyse data in relation to business performance and strategic initiatives
Where you have agreed to take part in a meeting, either at our offices or remotely, e.g. using Teams. AI may be used to help with summarising and analysing the meeting content and enabling real-time translation.
If inputting any personal data (where necessary and lawful to do so) in connection with such AI tools Merlin will ensure compliance with data protection legislation and regulatory requirements.
System and Application Information
We collect personal data when you visit any of our websites or use our applications including IP addresses, browser data, location, traffic data, social media behaviour and user patterns, recordings of calls to our service centres, email communications, online chats, comments and reviews collected through surveys or posted on our social media platforms.
Physical security records:
CCTV - will be used for safety and security monitoring of staff, company property and assets.
Bodycam footage will be used for safety and security monitoring of staff, company property and assets.
Biometric data (facial recognition) will be collected to identify the correct individual in ride photographs or for security purposes on some sites
Photographs: images will be used on passes to identify individual owners and for promotional means in some instances, photography services are in place at some of our attractions and rides
Automatic Number Plate Recognition (ANPR): details of vehicle registration numbers will be collected from some sites
Some of the personal information that we collect about you or which you provide to us about you and your family may be classified as special category data. We will only process special category data where we have an additional lawful basis for processing.
Why we collect your personal information
We may collect, use and store your personal information for the following reasons:
provide you with the products, services or information you request from Merlin, and for related purposes such as delivering customer service, handling queries and complaints, establishing and maintaining contractual relations, complying with industry and regulatory standards;
to operate electronic payment processes;
based on your choices and previous behaviours, deliver marketing communications, offers and newsletters to you;
to show you advertising on social media that is tailored to you
to profile potential audiences on social media and online platforms;
to monitor entry onto our sites and ensure effective management of the health and safety of our staff, guests and facilities;
support our everyday business purposes, such as for account management, quality control, website administration, business continuity and disaster recovery, security and fraud prevention;
corporate and business forecasting, reporting, analysis, and insight, to include business development requirements, management and operational reporting, in accordance with business growth, operational activities, and the provision of our services to clients;
considering and implementing mergers, acquisitions, reorganizations, bankruptcies, and other business transactions; business management to include accounting, auditing, insurance and compliance assessments;
understand how you and others use our services, for analytics and modelling and to create business intelligence and insights and to understand economic trends and develop better experiences for our guests;
generate anonymised or aggregated datasets, which are used for product development;
2 / 9
governance, reporting and legal compliance;
establishing, exercising or defending our legal rights; and otherwise, for the lawful operation of our business; CCTV monitoring and other security of company facilities; ensuring adequate insurance coverage for our business;
business management to include accounting and auditing;
security threat detection and monitoring.
Legal Basis for Personal Information Use
We need to have a legal basis for using your personal information for the processing set out in this privacy notice as set out below:
- our use of your personal information is necessary for the performance of our obligations under our contract with you;
- or our use of your personal information is necessary for complying with our legal obligations
- or our use of your personal information is necessary to protect an individual’s vital interests (for example if there is a danger to life);
- or where neither (a) nor (b) apply, it is necessary for the purposes of our legitimate interests or the legitimate interests of a third party (for example, to ensure a safe working environment, to ensure the reliability of our employees, workers and contractors or to maintain adequate personnel records).
- Where the processing is necessary to protect your vital interests in an emergency situation. We will also collect information about you indirectly from other sources where we believe this is necessary to help ensure the security of our attractions. These other sources may include public registers and social media platforms.
Children's Personal Information
We recognise our responsibility to provide suitable privacy protection to personal information we collect from children under 13. Some of the services we offer or features of our site are not aimed to be used by children and for those we do not knowingly collect personal information from children under 13.
When we do intend to collect personal information about children under 13, we put in place a number of measure to protect that child’s privacy such as:
notifying parents and/or guardians about the processing and obtaining consent where necessary ensuring any data collected is kept to a minimum
where permitted by law, allowing parents/legal guardians the right to request the personal information collected about their child and ask for such to be amended or deleted.
Disclosure of Personal Information
Your personal data may be made available to Merlin employees, temporary staff, workers and contractors, and with customers, agencies, investors and suppliers in the course of providing our services. Your personal data may be shared with any company that is a member of our group, where we have a lawful basis upon which to do so for example internal administrative purposes, corporate strategy, auditing and monitoring. We may also share your personal information with our group companies where they provide products and services to us, such as information technology systems, health and safety monitoring, security services and human resources services. Access to your personal information is limited to those employees who need to know the personal data and any international data transfers are managed by Merlin's Intragroup Data Transfer Agreement.
We may share your personal information with the following categories of third parties:
companies that provide products and services to us, such as:
investors;
insurance companies, including those providing medical insurance and group income protection;
legal and regulatory authorities, accountants, auditors, lawyers and other outside professional advisors.
information technology systems suppliers and support, including email archiving, telecommunication suppliers, back-up and disaster recovery and cyber security services; psychometric testing providers and other outsourcing providers, such as off-site storage providers and cloud services providers. Some examples of the service providers that Merlin use are outlined below:
Customer Relationship Management providers, in particular Salesforce, Experian, Accesso, Avius Insight, Zendesk, Venue Verdict, Sprint Education and Facebook.
our app team, Attractions.io
our website development agencies, Isobar, CTI Digital and Headland
our PR agency, The Academy PR
our printing agency, Adare International
our ride photography partner POMVOM
We will also disclose your personal information to third parties:
where it is in our legitimate interests to do so to run, grow and develop our business, for example:
if we sell or buy any business or assets, we may disclose your personal information to the prospective seller or buyer of such business or assets;
if Merlin or substantially all of its assets are acquired by a third party, in which case personal information held by Merlin will be one of the transferred assets;
if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;
3 / 9
to enforce our contract with you, to respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity; or
to protect the rights, property or safety of Merlin, our employees, workers and contractors, customers, suppliers or other persons.
Any third parties with whom we share your personal information are limited (by law and by contract) in their ability to use your personal information for the specific purposes identified by us. We will always ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this privacy notice and applicable laws.
We are a global company and may transfer the personal data we collect about you internationally to our group companies or third parties, so long as there is a lawful basis for doing. For transfers between Merlin group entities an intragroup agreement is in place. In certain limited circumstances we may seek your explicit consent to send your personal data. We may also share your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. Before sending your personal data internationally, we will ensure that appropriate safeguards are in place to protect your data and that all transfers are carried out in compliance with your rights and interests. In particular we will either:
only transfer your personal data to countries which are recognised as providing an adequate level of legal protection in accordance with Article 45 of the GDPR; or
ensure that transfers outside the European Union are subject to an appropriate legal safeguard - for example, the EU Model Clauses pursuant to Article 46(2) of the GDPR
Your Rights
The following rights can be exercised directly or, in certain cases, through an authorized agent and are determined by local legislation as set out below.
To exercise your data subject rights, including Subject Access Requests, please completethe request form.
For further information on what data subject rights are offered, please refer to the below:
|
RIGHT |
WHAT THIS MEANS |
|
|
|
You can ask us to: |
|
|
|
confirm whether we are processing your personal data; |
|
|
|
give you a copy of that data; |
|
|
Access |
provide you with other information about your personal data such as what data we have, what we use it |
|
|
for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, |
|
|
|
|
|
|
|
|
what rights you have, how you can make a complaint, where we got your data from and whether we have |
|
|
|
carried out automated decision making or profiling, to the extent that information has not already been |
|
|
|
provided to you in this notice. |
|
|
|
|
|
|
Rectification |
You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before |
|
|
rectifying it. |
|
|
|
|
|
|
|
|
|
|
|
|
You can ask us to erase your personal data, but only where: |
|
|
|
it is no longer needed for the purposes for which it was collected; or |
|
|
|
you have withdrawn your consent (where the data processing was based on consent); or |
|
|
|
it follows a successful right to object (see 'Objection' below); or |
|
|
|
it has been processed unlawfully; or |
|
|
Erasure/Right to be forgotten |
it is necessary to comply with a legal obligation which Merlin is subject to. |
|
|
|
|
|
|
|
We are not required to comply with your request to erase your personal data if the processing of your personal |
|
|
|
data is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal |
|
|
|
claims, in relation to the freedom of expression or for archiving purposes in the public interest, scientific or |
|
|
|
historical research purposes or statistical purposes. In the context of marketing, please note that we will maintain a |
|
|
|
suppression list if you have opted out from receiving marketing content to ensure that you do not receive any |
|
|
|
further communications. |
|
|
|
|
|
|
|
You can ask us to restrict (i.e. keep but not use) your personal data, but only where: |
|
|
|
its accuracy is contested (see 'Rectification' above), to allow us to verify its accuracy; or |
|
|
|
the processing is unlawful, but you do not want it erased; or |
|
|
|
it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise |
|
|
|
or defend legal claims; or |
|
|
Restriction |
you have exercised the right to object, and verification of overriding grounds is pending. |
|
|
|
We can continue to use your personal data following a request for restriction, where: |
|
|
|
we have your consent; or |
|
|
|
to establish, exercise or defend legal claims; or |
|
|
|
to protect the rights of another natural or legal person. |
|
|
|
|
|
|
|
You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or |
|
|
Portability |
you can ask to have it 'ported' directly to another Data Controller, but in each case only where: the processing is |
|
|
based on your consent or the performance of a contract with you; and the processing is carried out by automated |
|
|
|
|
|
|
|
|
means. |
|
|
|
|
|
4 / 9
|
|
You can object to any processing of your personal data which has our 'Legitimate Interests' as its legal basis (see |
|
|
|
Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our Legitimate |
|
|
|
Interests. |
|
|
Objection |
Once you have objected, we have an opportunity to demonstrate that we have compelling Legitimate Interests |
|
|
|
|
|
|
|
which override your rights, however this does not apply as far as the objections refers to the use of personal data |
|
|
|
for direct marketing purposes. |
|
|
|
|
|
Please note the following if you do wish to exercise these rights:
We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded or excessive, in which case we will charge a reasonable amount in the circumstances.
We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
Local laws may provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
You also have the right to complain to your supervisory authority (further details of which are set out in our Complaints section below)
Retention of Personal Information
We retain your personal data for as long as needed, or permitted, based on the reason we obtained it (consistent with applicable law and to support legitimate business purposes). When deciding how long to keep your personal data, we consider whether we are subject to any legal obligations (e.g., any laws that require us to keep records for a certain period before we can delete them) or whether we have taken any legal positions (e.g., issued any legal holds or otherwise need to preserve the information). Rather than delete your data, we may also deidentify it by removing identifying details. If we deidentify the data, we will not attempt to reidentify it.
Security
Merlin has implemented safeguards that are intended to protect the confidentiality of your personal information and we are a "PCI DSS" (The Payment Card Industry Data Security Standard) approved organization.
You may, from time to time, access links to or other websites operated by third parties (e.g. competition providers, industry news sources, sales portal, feedback surveys etc). Please note that this privacy notice only applies to the personal information that we collect from or about you and we cannot be responsible for personal information collected and stored by third parties. Third party websites have their own terms and conditions and privacy policies, and you should read these carefully before you submit any personal information to these websites. We do not endorse or otherwise accept any responsibility or liability for the content of such third-party websites or third-party terms and conditions or policies.
Cookies
Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer. Cookies contain information that is transferred to your computer's hard drive.
We use the following cookies:
Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies. These cookies are likely to be analytical/performance cookies or targeting cookies. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site. You can opt-out of optional cookies which you can exercise by using the consent banner when you first visit one of our attraction's webpages.
Contact and complaints
If you have any queries or complaints about our collection, use or storage of your personal information, or if you wish to exercise any of your rights, please contact our Data Protection Team - email Data.Protection@merlinentertainments.biz or write to:
Data Protection Officer
Merlin Entertainments
Arbor Building, 16th Floor,
5 / 9
255 Blackfriars Road,
London,
SE1 9AX,
United Kingdom
We will investigate and attempt to resolve any such complaint or dispute regarding the use or disclosure of your personal information.
You also have a right to lodge a complaint with your national data protection supervisory authority at any time.
In the UK, the supervisory authority for data protection is the ICO (https://ico.org.uk). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
For any other queries or complaints not relating to data protection, please refer to the attraction's "Contact Us" link at the bottom of this page.
Information on Joint Controllership
In certain specific instances, as set out below, this attraction acts as a Joint Controller of your personal data with Merlin Attractions Operations Ltd (hereinafter "MAOL"), which is also part of the Merlin Entertainments Limited Group and whose registered office is at Arbor Building, 16th Floor, 255 Blackfriars Road, London, SE1 9AX, United Kingdom (hereinafter, for convenience, collectively referred to as the "Joint Controllers").
As of the date of publication of this privacy notice, this attraction operates under joint controllership with MAOL its Customer Relationship Management (CRM) platform. For further information on this relationship, please refer to the privacy notice on the Merlin corporate website.
APPENDIX 1 - Glossary
Consumer: means an individual who will, who has, or who is purchasing tickets for an Attraction or using Merlin's websites, goods or services, or participating in a prize draw/competition or Merlin experience.
Data Controller: means a natural or legal person which determines the means and purposes of processing of personal data.
Data Subject: means an individual whom the personal data is about.
EEA: means the European Economic Area.
GDPR: means the General Data Protection Regulation 2018.
ICO: the Information Commissioner's Office regulates the processing of personal data by all organisations within the UK.
Legitimate Interests: this is a ground which can be used by organisations as a lawful basis of processing, for example where personal data is used in ways that could reasonably be expected, or there is a compelling reason for the processing.
Member States: means those countries which are part of the European Union.
Data Privacy Framework: means a framework which has been adopted to protect the rights of those individuals whose data has been transferred to the US.
Profiling: means to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an entertainment context, such as how likely you are to attend a certain event that we host.
Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.
APPENDIX 2 - Details of Processing of Guest Data
At Merlin Entertainments, depending on the attraction we will rely upon the following lawful basis for our data processing.
|
Purpose for processing |
The lawful basis we rely on |
|
|
|
|
|
|
Service Delivery |
Merlin will process your personal data in accordance with its legal obligations and legitimate interests to |
|
|
To provide guests with the products, services or |
deliver its services to you. |
|
|
|
|
|
|
information you request from Merlin, and for related |
|
|
|
purposes such as delivering customer service, handling |
|
|
|
queries and complaints, establishing and maintaining |
|
|
|
contractual relations. |
|
|
|
For some of our attractions, we also offer a Premium |
|
|
|
and VIP Experience package. For these packages, we |
|
|
|
may need to contact you to obtain additional |
|
|
|
information to provide the best experience for your visit. |
|
|
|
This may include whether your visit is for a special |
|
|
|
occasion such as a birthday, personal requirements |
|
|
|
such as dietary or accessibility needs and if you have |
|
|
|
any special requests such as to bring along props or |
|
|
|
banners. |
|
|
|
|
|
|
6 / 9
|
Operating Competitions, Prize Draws and other |
It is necessary for Merlin to use your personal data to perform our obligations in accordance with any |
|
||
|
Promotions |
contract that we may have with you or where it is in our legitimate interest to use your personal data to |
|
||
|
To administer competitions and rewards to our guests |
enable us to administer a Merlin competition or promotion effectively and fairly in line with our own |
|
||
|
we may use our website and social media accounts |
business practices. |
|
||
|
|
|
|||
|
|
|
|
|
|
|
Payment Services |
We have legal and regulatory obligations to ensure that we process certain personal data when |
|
||
|
|
|
|
facilitating payment transactions. |
|
|
To operate electronic payment processes |
|
|
||
|
|
|
|
|
|
|
Photography and Film |
The company also has a legitimate interest in promoting and marketing its brand, whether to prospective |
|
||
|
Some attractions offer photography services during |
employees or prospective customers, both of which support the Company's immediate and long-term |
|
||
|
business goals and outcomes. |
|
|||
|
your visit. |
|
|||
|
|
|
|||
|
Where relevant for publishing appropriate internal or |
Guests have the option to purchase their own photographs at certain attractions. Notices are in place |
|
||
|
where photography services are in operation. |
|
|||
|
external communications or publicity or marketing |
|
|||
|
|
|
|||
|
material including via social media in appropriate |
|
|
||
|
circumstances; |
|
|
||
|
|
|
|
|
|
|
Deliver marketing communications by email, offers and |
Merlin will rely upon your explicit consent to send you marketing material. All of Merlin’s marketing |
|
||
|
newsletters to you |
correspondence has the option for you to ‘unsubscribe’ from our communications, at any time. |
|
||
|
To deliver marketing communications, offers and |
|
|
||
|
newsletters to you . |
For our German attractions, in accordance with Section 7, Paragraph 2 of the Act Against Unfair |
|
||
|
|
|
|
|
|
|
|
|
|
Competition) |
|
|
|
|
|
|
|
|
To deliver marketing to guests and prospective leads |
All Facebook users have the opportunity to set their preferences for their marketing options. |
|
||
|
on social media |
Where we use your personal data to display online personal advertising to you, we rely on the consent or |
|
||
|
|
|
|
|
|
|
Merlin and its third party partners may show you |
our legitimate interests to promote our website and services and/or attractions to you. |
|
||
|
advertising on social media, that is tailored to you. |
We will only share your Personal Data with the third-party providers of any social media platform so that |
|
||
|
|
|
|
|
|
|
|
|
|
we can advertise our available services to you when you use those platforms only where you have |
|
|
If you are a user of social media, Merlin may ask the |
provided your consent or where it is otherwise in our legitimate interests to do so in order to promote |
|
||
|
Merlin services. |
|
|||
|
third-party providers of those platforms to find other |
|
|||
|
|
|
|||
|
registered users of their services who share similar |
|
|
||
|
interests and characteristics to you, which will be based |
|
|
||
|
on information that the third party holds about you and |
|
|
||
|
other registered users of its platform. This is known as |
|
|
||
|
advertising to a ‘lookalike’ audience advertising |
|
|
||
|
because Merlin are seeking to advertise to other |
|
|
||
|
people who ‘look like’ you. This advertising method is |
|
|
||
|
based on data that you as user of social media have |
|
|
||
|
provided to the platform independently and is also |
|
|
||
|
dependent upon the privacy settings you have |
|
|
||
|
associated to your social media account. |
|
|
||
|
(for more information click here) |
|
|
||
|
|
|
|
|
|
|
Safety, security and preventing and detecting |
Some of this processing is necessary for the compliance with legal obligations to which the Company is |
|
||
|
inappropriate or unlawful activities |
subject including health and safety laws, our duty of care and regulatory laws to which the Company is |
|
||
|
Safety and security including the use of CCTV at our |
subject. |
|
||
|
|
|
|||
|
attractions; satisfying the Company's regulatory or otherAdditional processing is necessary for the purpose of the legitimate interests pursued by the Company. |
|
|||
|
obligations preventing, detecting and investigating a |
The Company has a legitimate interest in ensuring that its business, guests, employees and systems are |
|
||
|
|
|
|
|
|
|
wide range of activities and behaviours and liaising with protected and that action is taken to mitigate risk and to prevent and detect matters which may put the |
|
|||
|
regulatory authorities |
Company or its business or stakeholders at risk. |
|
||
|
|
|
|
|
|
|
|
|
|
This includes carrying out risk assessments; detecting and preventing crimes or criminal activity or other |
|
|
|
|
|
unlawful or unethical activity; ensuring that only appropriate employees are engaged in our business; and |
|
|
|
|
|
ensuring compliance other legal or regulatory requirements placed upon us or related official guidance. |
|
|
|
|
|
It also includes providing ways to report conduct or compliance issues and the appropriate consideration |
|
|
|
|
|
and investigation of matters drawn to the Company's attention. |
|
|
|
|
|
It also includes facilitating, controlling and restricting access to appropriate locations and systems. To be |
|
|
|
|
|
effective these must be monitored and kept up to date. Effective business protection is important for |
|
|
|
|
|
business continuity and to protect the Company's reputation. This supports the Company's immediate |
|
|
|
|
|
and long-term business goals and outcomes. |
|
|
|
|
|
|
|
|
ANPR Recognition |
Depending on local laws, we will rely upon consent, performance of a contract or legitimate interest to |
|
||
|
Some of our attractions have automatic number place |
process this information. |
|
||
|
recognition in place to monitor entry to our car park |
|
|
||
|
facilities |
|
|
||
|
|
|
|
|
|
7 / 9
|
Business information protection |
This processing is necessary for the purpose of the legitimate interests pursued by the Company. |
|
|
Protecting the private, confidential and proprietary |
The Company has a legitimate interest in ensuring that its business, guests, employees and systems are |
|
|
information of the Company, its employees, its guests |
protected. |
|
|
and third parties |
This includes protecting our assets and the integrity of our systems; and detecting and preventing loss of |
|
|
|
|
|
|
|
confidential and proprietary information. |
|
|
|
This is also important to comply with our obligations to our guests and staff to protect their information. |
|
|
|
Effective business protection is important for business continuity and to protect the Company's reputation. |
|
|
|
This supports the Company's immediate and long-term business goals and outcomes. |
|
|
|
|
|
|
Legal compliance |
This processing is necessary for the compliance with legal obligations to which the Company is subject |
|
|
Complying with laws and regulation applicable to the |
including those laws set out. |
|
|
|
|
|
|
Company |
|
|
|
|
|
|
|
Commercial transactions or outsourcing |
Some of this processing is necessary for the compliance with legal obligations to which the Company is |
|
|
Planning, due diligence and implementation in relation |
subject. |
|
|
to a commercial transaction or service transfer |
Additional processing is necessary for the purpose of the legitimate interests pursued by the Company. |
|
|
involving the Company that impacts on your |
The Company has a legitimate interest in managing its business operations in the most effective way. |
|
|
relationship with the Company through our CRM |
|
|
|
The Company needs to make decisions relating to the future of its business in order to preserve its |
|
|
|
systems. |
|
|
|
business operations or grow its business or maximise efficiency and effectiveness. |
|
|
|
|
|
|
|
|
In the event that the Company makes a decision to outsource a function or acquire or transfer a business |
|
|
|
or part of a business the Company and the third party with whom the Company is seeking to transact |
|
|
|
each have a legitimate interest in ensuring that the services offered to guests are upheld throughout any |
|
|
|
transition period. |
|
|
|
Business change programmes and transformation support business continuity and improvement and |
|
|
|
support the Company in achieving its long-term business goals and outcomes. |
|
|
|
|
|
|
Business reporting |
Some of this processing is necessary for the compliance with legal obligations to which the Company is |
|
|
For business operational and reporting documentation |
subject including statutory Company reporting obligations and corporate governance requirements. |
|
|
such as accounting, auditing, insurance, compliance |
Additional processing is necessary for the purpose of the legitimate interests pursued by the Company. |
|
|
assessments, business development requirements, |
The Company has a legitimate interest in managing its workforce and operating its business, ensuring |
|
|
management and operational reporting, in accordance |
|
|
|
appropriate governance and controls are in place and to measure and report on financial management |
|
|
|
with business growth and operational activities |
and business performance. |
|
|
|
|
|
|
|
This includes appropriate preparation of management information reports; financial accounts and other |
|
|
|
reports including in relation to HR metrics such as retention or attendance; reporting for internal and |
|
|
|
external governance; and liaising with third parties such as investors or finance providers. |
|
|
|
Effective management information and reporting is important for effective management of the business, |
|
|
|
risk management and decision making. This supports business continuity and is important to support the |
|
|
|
Company's long-term business goals and outcomes. |
|
|
|
|
|
|
Stakeholder management |
The Company also has a legitimate interest in ensuring that it can engage with suppliers effectively and |
|
|
To operate the relationship with other third parties such |
that suppliers can access the information they need to provide the service for which they have been |
|
|
as suppliers including disclosure of information to data |
engaged. |
|
|
processors for the provision of services to the |
Effective communication with and engagement of suppliers is important for business continuity and |
|
|
Company |
improvement. |
|
|
|
This supports the Company's achievement of its immediate and long-term goals and outcomes. |
|
|
|
|
|
|
Communication and public relations |
This processing is necessary for the purpose of the legitimate interests pursued by the Company. |
|
|
Where relevant for publishing appropriate internal or |
The Company has a legitimate interest in communicating effectively with its workforce, guests and other |
|
|
external communications or publicity material including |
stakeholders as well as carrying out appropriate business development activity. |
|
|
via social media in appropriate circumstances; |
That includes giving information to the workforce or, where appropriate guests, other stakeholders or the |
|
|
|
|
|
|
|
wider market about relevant business activities, plans or projects. That can include making reference to |
|
|
|
those of our staff who are involved in the relevant matters being communicated above. |
|
|
|
Effective employee, guest and other stakeholder communication and engagement contributes to |
|
|
|
attraction and retention of high calibre employees, development and retention of guest relationships, |
|
|
|
strong business performance, business growth and maintaining and enhancing the Company's |
|
|
|
reputation. This supports the Company's immediate and long-term business goals and outcomes. |
|
|
|
|
|
|
Complaints, claims and litigation |
This processing is necessary for the purpose of the legitimate interests pursued by the Company. |
|
|
To enforce our legal rights and obligations, and for any |
The Company has a legitimate interest in protecting its organisation from breaches of legal obligations |
|
|
purposes in connection with any complaint or legal |
owed to it and defending itself against litigation. This is needed to ensure that the Company's legal rights |
|
|
claim made by, against or otherwise involving you |
and interests are protected appropriately, to protect the Company's reputation and to protect the |
|
|
|
Company from other damage or loss. |
|
|
|
This is important to protect the business of the Company and ensure its continued success and growth. |
|
|
|
This supports the Company's immediate and long-term business goals and outcomes. |
|
|
|
|
|
8 / 9
|
Legal or regulatory disclosures |
This processing is necessary for the compliance with legal obligations to which the Company is subject |
|
|
To comply with lawful requests by public authorities |
where there is a legal obligation to disclose information or a court or other legal order to provide |
|
|
information is in place. |
|
|
|
(including without limitation to meet national security or |
|
|
|
law enforcement requirements), discovery requests, or |
Where not legally required, processing is necessary for the purpose of the legitimate interests pursued |
|
|
where otherwise required or permitted by applicable |
by the Company. |
|
|
laws, court orders, government regulations, or |
The Company has a legitimate interest in co-operating with relevant authorities, government bodies or |
|
|
regulatory authorities (including without limitation data |
|
|
|
regulators for the provision of information where appropriate. The Company wishes to maintain its |
|
|
|
protection, tax and employment), whether within or |
reputation as a good corporate citizen and to act ethically and appropriately in all the countries in which it |
|
|
outside your country; |
|
|
|
does business. |
|
|
|
|
|
|
|
|
This encourages compliance and high standards of business practice and protects the Company's |
|
|
|
reputation. This supports the Company's immediate and long-term business goals and outcomes. |
|
|
|
|
|
|
Analytics & Monitoring |
Merlin has a legitimate interest in using analytics to enhance and improve guest experience. Merlin uses |
|
|
To understand how you and others use our services, |
cookies to monitor interaction between guests and its website. |
|
|
|
|
|
|
for analytics and modelling and to create business |
|
|
|
intelligence and insights and to understand economic |
|
|
|
trends |
|
|
|
|
|
|
9 / 9