Privacy Notice
PRIVACY NOTICE IN ACCORDANCE WITH ARTICLE 13 OF EU REGULATION 679/2016
This is to inform you about the processing of your personal data in relation to the use of the Be Happy Pass Application ("App" or "Application"). The processing is carried out in accordance with the criteria set forth in the European Data Protection Regulation, EU Reg. 2016/679 ("GDPR").
LEGOLAND Billund Resort provides the services to the user ("User") according to the Terms and Conditions of Use and to this Privacy Notice. By using the App, the User will be able to create their own profile, allowing them to take advantage of the services offered by the App.
The Privacy Notice is provided only for the Be Happy Pass App licensed by the company LEGOLAND Billund Resort, and not for other websites that may be consulted by the User through links present within the App.
LEGOLAND Billund Resort may modify this Notice to keep it up to date with new regulatory interventions regarding privacy or any changes that may be made in personal data processing. The Privacy Notice should therefore be read regularly, to keep up to date with the type of data LEGOLAND Billund Resort collects, and how said data are used and shared.
DATA CONTROLLER
The Data Controller with regard to the services provided by the Be Happy Pass App is the company LEGOLAND Billund Resort ("Controller" or "LEGOLAND Billund"), Nordmarksvej 9, DK-7190 Billund, in the person of the current legal representative.
PRIVACY CONTACT DETAILS
For any privacy-related inquiries, LEGOLAND Billund can be reached at the following email address: data.protection@merlinentertainments.biz.
LEGOLAND Billund has appointed its own Data Protection Officer (DPO), who can also be contacted at the email address data.protection@merlinentertainments.biz.
All personal data will be collected, processed and used by LEGOLAND Billund in compliance with the applicable data protection provisions.
DATA SUBJECTS
The data subjects involved in the processing of personal data by the Data Controller for the purposes and processing activities referred to in the following sections are the Users of the App.
TYPE OF DATA PROCESSED
Certain personal data will be collected via the App: first name, last name, e-mail address, country, postal code, username, and password.
The User directly provides the data. The provision of such data is necessary to grant the App service and its operation.
The App uses only cookies, including third-party cookies and similar technologies, which are essential and necessary to make the App work properly. No other categories of cookies are involved. The strictly necessary cookies don’t need any consent and are always embedded to grant the functioning of the App. You can find further information about cookies in the Cookie Statement.
For operation and security purposes, the App and any third-party services used by it may collect System Logs, i.e., files that record interactions and may also contain personal data, such as the User's IP address, as well as information relating to preferred User location, current time zone, operating system, time zone, App version and interactions, Bluetooth-based beacon check-ins, and crash reports to identify and resolve technical issues.
This data is collected to enhance User experience, ensure App functionality, and provide personalized services.
PURPOSE OF PROCESSING AND LEGAL BASIS
Personal data are collected for the following purposes and processed according to the specific legal bases:
- to enable the User to use the services in accordance with what is accepted in the Terms and Conditions of Use. The legal basis is the performance of pre-contractual measures and the Terms and Conditions of Use accepted under Article 6(1)(b) GDPR. The nature of the provision is mandatory. Otherwise, the service will not be provided;
- to send newsletters and commercial messages related to products and services offered by LEGOLAND Billund and its Danish local partners, which are third-party attractions with no access to any personal data. The legal basis is the consent freely given by the User to the Controller, in accordance with Article 6(1)(a) GDPR. The provision of data is optional; the absence of such consent does not affect the ability to use the App;
- to fulfil a legal obligation to which the Data Controller is subject under Article 6(1)(c) GDPR;
- to ensure the security of the App or the use of the services, for the violation of the Terms and Conditions of Use as well as the prevention of any unlawful use of the App. The legal basis is the legitimate interest of the Data Controller pursuant to Article 6(1)(f) GDPR. In this regard, the User's personal data may be used in court or in the previous stages for the defence against abuse in the use of the App or related services by the User.
PROCESSING METHODS AND INFORMATION SECURITY
The Data Controller takes appropriate security measures to prevent unauthorised access, disclosure, modification or destruction of personal data. The processing is carried out by means of computer and/or IT tools, with organisational methods and logics strictly related to the indicated purposes.
PLACE OF PROCESSING
The data are processed at the operating offices of the Data Controller and in any other place where the parties involved in the processing are located. In any case, the processing of personal data will take place within the European Economic Area.
DATA RECIPIENTS AND TRANSFER
For the pursuit of the processing purposes mentioned above, the Data Controller needs to communicate the personal data collected to third parties to manage the activities, as well as to guarantee the services offered by the App.
Third parties could be:
- service providers (e.g., external vendors for backend services, analytics, marketing and User communications);
- professional service firms, including auditors and legal advisors engaged to ensure regulatory compliance and support business operations;
- competent authorities (i.e., regulatory bodies or law enforcement agencies, if required by law or in response to legal requests).
LEGOLAND Billund is also part of the Merlin Group. Therefore, if necessary for the purposes for which the data was collected, it may be disclosed within the Merlin Group - especially to the Parent Company - as part of internal reporting and group-level operational oversight.
If you would like to know the list of all these persons to whom the data are disclosed, please write to data.protection@merlinentertainments.biz.
Within the scope of the aforementioned purposes and in relation to the location, in particular of the servers, of Group companies or third parties, the data may also be transferred outside the EU, in compliance with the adequacy decisions (Article 45 GDPR), or in compliance with the appropriate guarantees of the EU Commission (Article 46 GDPR), or in any case in compliance with what is otherwise provided for by the provisions in force (Article 49 GDPR). To confirm these guarantees or the place where they have been made available, please write to data.protection@merlinentertainments.biz.
STORAGE TIMES
Data are processed and stored for the time required by the purposes for which they were collected and, in any case, for no more than 5 years. Traffic data will be stored in an encrypted manner to ensure the security of the App and the prevention of unlawful acts, as per the legitimate interest of the Data Controller.
At the end of the retention period, Personal Data will be automatically deleted. Therefore, upon the expiry of this period, the right of access, erasure, rectification, and the right to Data portability can no longer be exercised.
The data collected for marketing purposes under letter b) of the paragraph "Purposes of the processing and legal bases" will be retained until the consent freely given by the data subject is revoked and, in any case, no longer than 5 years after it has been provided.
RIGHTS OF THE DATA SUBJECT
In relation to the processing of their personal data, the data subject can exercise certain rights (Articles 15-22 of the GDPR).
Specifically, the GDPR confers the right to access, rectify or erase personal data, restrict or oppose processing, and portability.
Where processing is based on consent, the data subject has the right to withdraw consent to the processing of their personal data at any time, without prejudice to the lawfulness of the processing based on the consent given before such withdrawal.
The data subject also has the right to lodge a complaint with the supervisory authority, which is Danish Data Protection Agency, based in Borgergade 28, 1300 Copenhagen K, or take the matter to the competent judicial authority.
For the exercise of these rights, the data subject may complete the following request form.