So, if you’re looking for more information on how we collect, store, use and share your personal data we collect, this is the place for you!
Now to start us off with, a couple of practical but highly important details for you to take note of!
Who we are
The LEGO Group is made up by several different legal entities spread around the world. Read more about the LEGO Group here http://acedeallegotoys.com/index.php?route=information/information&information_id=4
How to contact us
ACEDEAL LIMITED LEGO
18, Christopher Street,
Att: Data Protection Officer
Or by email: email@example.com
Your rights as a someone we have personal data about (data subject)
At any point while we are in possession of or processing your personal data, you have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records. If we are legally obligated to keep the information or if it is impossible or unproportionate, we won’t delete it but we will only keep it for as long as it is needed and we have time limits on our data systems.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organization.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right not to have a computer make decisions about you directly (this doesn’t include general marketing based on your age or gender).
- Right to judicial review – if we refuse your request under rights of access, we will provide you with a reason as to why. You have the right to complain.
One thing to bear in mind before contacting us. Our sites and applications may contain links to other sites not owned or controlled by us. It could as an example be social media platforms/services. We are not responsible for the privacy practices of those sites, so if you have questions regarding such sites, you need to contact the site directly. We also really encourage you to be aware and read the privacy policies of other sites because they may very easily be collecting, storing, using and sharing your personal information.
Our rules for collecting data
We take your privacy really seriously, so we’ll only ask for the information we need to have so we can give you great service.
Whenever we collect customer data, we make sure:
- We ask for permission to collect the data
- We only use the data for the agreed reason and for the time it’s needed
- We will as a minimum meet the local data protection laws in the country where we provide you with a service via our website or our applications.
- We keep data that we’re legally required to have on record
- We explain why we need the data and how we’ll use it (unless we have legitimate reason not to)
- We check and update privacy information on a regular basis (we might also cross-check the data against other database to make sure it’s correct)
- We don’t share data with anyone unless we have a legal or legitimate reason, or we have permission from you or if you are a child under 16 from your parents.
Collecting data in our online channels
We collect your personal and anonymous information from you when you visit any of the sites on our acedeallegotoys.com domain or when you use one of our applications. When you visit our online channels, you’ll be able to check if we’re collecting data under terms and conditions of the site.
We also receive information via third party when you visit our page on social media sites or channels (e.g Facebook, Twitter, Youtube, Instagram, Wechat etc).
Types of personal information we collect
When you’re visiting any of these online channels, we may collect:
- Registration information that we use to help you set up an account (e.g. your name, country, gender, date of birth, email address, username and password).
- Payment or transactional information that we use when you buy products or use online services (e.g. postal address, phone number or credit card number).
- Location information or your IP Address that we use to give you relevant online content.
- Information you’ve shared publicly on our forums.
- Information you’ve sent to an individual or group using our messaging, chat or post services
- Information you provide when you use our own online channels or third-party channels (such as social networks) or if you link your LEGO registration account to a third-party platform.
Why we need to process personal data
As we’re a global company that sells toys directly to customers and offers many different experiences for our fans, we need to process personal customer data, so that:
- Customers can buy products from our online LEGO Shop and have them delivered where they want
- Customers are able register for any accounts and services they want to use
- Customers can use the online and offline LEGO experiences we’ve created for them
- Customers can share information on our public forums
- We can send customers any information they’ve asked us for or answer their questions
- We can ask customers to give us feedback on our services through questionnaires and surveys
- We can provide our customers with relevant marketing information about our products.
Always keep in mind, that if you’re using a LEGO service through a third-party channel like social media or a LEGO app, your personal data may also be processed by that third-party according to their own privacy processes.
We may use automated decision making in processing your personal information for some services and products. An example is our fraud prevention and detection efforts on shop.LEGO.com. You can request a manual review of the accuracy of an automated decision if you are unhappy with it.
How we process personal data
When you visit our online channels or when you use third-party sites or platforms, we use technology such as cookies, flash cookies, pixels and web beacons to process your personal data.
Be mindful that if you do enable a prevent cookies functionality on your device, some of our services and functionalities on the site will no longer work.
We also collect information from other trusted sources, so we can update or add to the personal information we’ve collected ourselves.
Sharing information with trusted subsidiaries (other LEGO companies)
Our subsidiaries (the other companies in the LEGO Group) may sometimes need to access your information to provide services to you on our behalf. Because the LEGO Group is passionate about your privacy, we have made a decision to implement the same privacy protection all over the world, so you can feel safe no matter which LEGO Group company is using your data. Legally, other LEGO Group companies will then be acting as ‘data processors’ and will be subject to data processing laws. They need your personal data so they can:
- Deliver products and services you’ve requested
- Get in touch with you about your account or transactions
- Send you information about our sites, applications and policies
- Send you any newsletters you’ve signed up for (you can unsubscribe at any time)
- Process information that the subsidiary is formally contracted to process on our behalf, e.g. carry out a purchase placed by you, manage your LEGO ID account activity or your VIP account data.
- Identify, review and stop any activities that could breach our policies or break the law
Collecting and using children’s information
While some of our websites, channels and apps are designed with families and users of all ages in mind, others are intended to be used mainly by children. Whenever we collect personal information from a child, we only keep the information for the time we need it to provide a service or for the time it’s legally required to be kept on record.
While children can choose whether to share their information with us, there are features of our websites that won’t function if they haven’t given us their information. Where personal information is needed for features to function, we’ll only ask for information that is reasonably required to take part in the activity.
Here are some examples of times when we collect children’s data:
- When children register online
Children can register on our websites to access a variety of services including content, games and competitions. During registration, we may ask a child to provide their parent’s or guardian’s email address, the child’s first name, gender, their birth date, their username and password. We use this information for security and notification reasons. We strongly encourage children to create a username that excludes any personal information.
- When children share content they’ve created themselves
Some of our websites allow children to create or use content themselves. Since only some of these features require personal information from the child, not all activities require consent from a parent or guardian. Whenever an activity could potentially allow a child to share personal information, we either review the content ourselves and make sure personal information is removed or ask for permission from a parent or guardian to collect the data. Types of personal data that children have shared with us in the past include stories, free-text fields, drawings that allow text or free-hand entry of information, photographs of your child, sound clips, movie files or any type of content or other persistent identifiers that clearly identifies the child in some way. If, as well as collecting content that includes personal information, we also plan to share the content publicly or with a third party for their own use, we’ll ask the parent or guardian for ‘verifiable parental consent’ (which is a higher level of parental consent).
- When children enter contests and sweepstakes
If a child wants to enter a competition, we ask for the personal information we need for a child to take part. We usually only ask for the child’s first name (so we can tell the difference between children from the same family) and the email address of a parent or guardian (so we meet legal requirements to notify the responsible adult). We’ll only contact the parent if the child wins the contest or sweepstake to find out where to send the prize. If the competition asks the child to create content to enter, we may need to ask for parental consent by email in advance to ensure we meet the privacy requirements for content children have created themselves (please see the information above about children creating content). Without consent, children won’t be able to take part in our competitions.
- When children receive emails from us
We may need ask for their child’s contact details (including their email address) so that we can reply to a question they’ve asked us. To meet legislative requirements around the world, we’ll delete any information we have on the child as soon as the reply’s been sent. If we need to get in touch with the child a second time, for example to reply to additional questions, we would request an email address from their parent or guardian. We’d then only keep the child’s online contact information for the time it takes us to honor their request and wouldn’t use the information for any other purpose. If we ever need a child’s online contact information for ongoing communication, we’d ask for the parent’s or guardian’s email address at the earliest opportunity so that we can keep the adult informed of the data we’re collecting and to give the parent an option to ask us to stop collecting data. Parents or guardians can opt out of any communication we have with their child at any time by following the unsubscribe instructions within each communication (if there is more than one type of communication, the adult may need to opt out of each individually). Alternatively, they can contact our LEGO Customer Service team.
- When children receive app push notifications
Many apps send users ‘push notifications’ to their customers’ mobile phones or devices to tell them about updates (sometimes even when the app is not in use). Some of our apps are designed to be used by children. We ask children to provide the email address of their parent or guardian, so we can tell the adult about their child’s request before we send children push notifications from our apps. We don’t link the device identifier with any other personal information without parental consent. If you would like your child to stop receiving push notifications from one of apps, you can change the settings on the device your child’s using at any time.
- When we collect location information
Some of our websites, channels and apps are designed for children. We request consent from a parent or guardian by email before collecting information on a child’s street name, address or coordinates. We do that because such information will effectively make us able to identify a specific child. As an opposite, we don’t require parental consent to collect information on a child’s city, country or region as long as it isn’t linked directly to the specific child. The reason for this, is that such generic information will not make us able to identify a specific child. If you would like to stop us collecting this type of location information, you can adjust the settings on the device your child is using at any time. Alternatively, please contact our LEGO Customer Service team.
- When we collect ‘persistent identifiers’
What if we accidentally collect children’s data?
If we discover that we’ve unintentionally collected information from a child in a way that doesn’t meet COPPA requirements, we will delete the information immediately.
Requesting parental consent
Asking for low-level consent by email
If we need to collect a child’s personal information, we’ll ask for parental consent according to COPPA legal requirements. We’ll send the child’s parent or guardian an email explaining what information we’re collecting, how we plan to use it and ask the parent to give or deny their consent. If we don’t receive parental consent in a reasonable time, we’ll delete all information we’ve collected from the child including the adult’s contact information that we asked for in order to request consent.
Asking for high-level ‘verifiable consent’
If we want to share a child’s personal information publicly or with a third party, we’ll seek a higher level of parental consent than the email request described above. We may ask for verification by credit card or other payment method (with a nominal charge involved), verification over the phone or through a video chat to a trained customer service representative or a signed consent form to be returned to us by mail, email attachment or fax. We may give the parent a guardian a PIN or password that they’ll be able to use in future communications to confirm the adult’s identity.
What if a parent or guardian hasn’t been contacted for consent?
If a child under the age of 16 accesses an online channel that’s designed for children by using an age gate, we’ll email the child’s parent or guardian before collecting any personal information from the child. If you think that your child is taking part in an online activity that collects their personal information and you or another parent/guardian hasn’t received an email letting you know or seeking your consent, please contact our Data Privacy Officer at firstname.lastname@example.org. We won’t use email addresses provided for parental consent for any other purpose unless the adult has expressly opted in to marketing emails or taken part in an activity which allows email contact.
Parental choices and controls
At any time, parents or guardians can refuse to allow us to use and collect further personal information from their child. Parents or guardians can ask us to delete the personal information we have collected in connection with their child’s account from our records. As personal information is required for some services, deleting a child’s records may result in an account, membership, or service being unavailable to the child in future.
If a child has a registered LEGO ID, parents or guardians can access, change or delete the personal information we’ve collected from their child by:
- Using their child’s username and password to log into their child’s LEGO ID account
- Getting in touch with our LEGO Customer Service team
If you’d prefer to contact us, please let us know your child’s username along with the your own telephone number and email address. We’ll need to confirm your identity as the parent or guardian of the child before granting access to the child’s personal information. We will respond to your request within a reasonable timeframe.
If we make material changes to how we use Personal Information collected from a child under the age of 16, we’ll tell their parent or guardian by email and ask for ‘verifiable parental consent’ for the new uses of the child's personal information.
Sharing information we have consent to share with others
If we’ve received high-level parental consent to share a child’s personal information publicly, we may also share personal information with our service provides or legal authorities. We may share information with our service providers including software solution companies, online security partners and customer services. Our contracts with these companies make sure they only use personal data for the agreed purpose.
We may share personal information to meet legal processes or if disclosure is required by law. As allowed by relevant laws, we may also share personal information collected from children to:
- Comply with a request from to a law enforcement or public agency (including schools or children services) or to avoid liability
- Make a disclosure that we believe may stop a crime being committed
- Help an investigation related to public safety
- Protect the safety of a child who’s using our online channels
- Protect the technology of our service providers or security of our online channels themselves
Parents have the right to consent to the collection, use and processing of their child’s personal information without also having to consent to the disclosure of that information to third parties. We don’t share information with third parties other than as described above.
We define LEGO Partners as other companies doing business with the LEGO Group. We process information on our LEGO Partner companies for collaboration and evaluation purposes.
Data security and integrity
The security, integrity and confidentiality of customer information is extremely important to us. We use technical, administrative and physical security measures to protect personal information from unauthorized access, disclosure, use and modification. All external transfers that contain personal information are done using encrypted technology. Credit card information is handled by approved service providers that meet PCI (Payment Card Industry) standards and have appropriate safeguards in place.
Although we regularly review our security procedures and evaluate new technology and methods to make our online channels safer, no security measures are perfect or impenetrable.
Our customers, employees and partners also play an important role in protecting information. We encourage customers to choose passwords that are difficult for others to guess and to keep their personal passwords secret.
Should you notice any flaws or concerns in our security, please contact our LEGO Customer Service team as soon as possible.
If we ever experience a data breach in which customer information is at risk of being misused, we’ll contact customers according to legal requirements. If necessary, we’ll also contact data protection authorities.
Data transfers, storage and processing globally
The Binding Corporate Rules provide the highest security to you when it comes to how your information is processed.
Binding Corporate Rules and local legal requirements
We want to make sure we as a minimum use the standards of data privacy and security that follows from the European General Data Protection Regulation (“GDPR”) anywhere in the world where we collect, store, use or share your personal data. Where your local rules require more from us than that, we will adjust our practice to make sure your data is safe with us no matter where in the world you are! To bind us to that promise we have implemented something called with Binding Corporate Rules with effect from June/2016 ‘Binding Corporate Rules. These rules are set by European data authorities across the European Union (EU) and set the some of the highest standards in the world on data collection, storage, use and sharing.
We generally collect personal information directly from you where this is reasonable and practical but may also acquire information from other trusted sources to update or supplement the personal information you provided or which we processed automatically.
- We may also use your personal information to tell you about the products and services of the LEGO Group or third parties. From time to time, we and our LEGO Group entities and business partners may contact you by mail, telephone, email or other electronic messaging services (such as text, voice, sound or image messages including using automated calling systems) with information about products and services (including discounts and special offers). If you no longer wish to receive marketing or promotional information from us and our LEGO Group entities or our partners, you can unsubscribe at any time. There are certain messages relating to the goods and services we provide to you that cannot be unsubscribed from.
- Should the LEGO Group experience a data breach and your information be involved, we will contact you if there is a risk of serious harm to you and if we are legally obliged to do so. In some instances, the LEGO Group will also be legally obliged to contact (data protection) authorities when a breach of privacy information occurs.
- We will take such steps that are reasonable in the circumstances (if any) to destroy or de-identify personal information when it is no longer required.