Last Modified: May 24th, 2018
So, if you’re looking for more information on how we collect, store, use and share your personal data we collect, this is the place for you!
Now to start us off with, a couple of practical but highly important details for you to take note of!
Who we are
The LEGO Group is made up by several different legal entities spread around the world. Read more about the LEGO Group here https://www.lego.com/aboutus
How to contact us
LEGO System A/S
Att: Data Protection Officer
Or by email: privacy.officer@LEGO.com
Please include your name and if you know it, the relevant LEGO Group company. If you don’t have that information, it’s absolutely fine and we will then, treat your request as if it the question relates directly to LEGO System A/S.
Your rights as a someone we have personal data about (data subject)
At any point while we are in possession of or processing your personal data, you have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records. If we are legally obligated to keep the information or if it is impossible or unproportionate, we won’t delete it but we will only keep it for as long as it is needed and we have time limits on our data systems.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right not to have a computer make decisions about you directly (this doesn’t include general marketing based on your age or gender).
- Right to judicial review – if we refuse your request under rights of access, we will provide you with a reason as to why. You have the right to complain.
One thing to bear in mind before contacting us. Our sites and applications may contain links to other sites not owned or controlled by us. It could as an example be social media platforms/services. We are not responsible for the privacy practices of those sites, so if you have questions regarding such sites, you need to contact the site directly. We also really encourage you to be aware and read the privacy policies of other sites because they may very easily be collecting, storing, using and sharing your personal information.
Complaints about our behaviour
You have the right to complain if you don’t feel the LEGO Group is living up to our responsibilities when it comes to your data.
We have a Global Data Protection Officer at the LEGO Group, who takes your complaint very serious. You can contact our Global Data Protection Officer on this email firstname.lastname@example.org. We will send you a confirmation within 5 days and do our very best to deal with the issue within 1 month. If the issue is difficult or requires a lot of work it may take longer, but we will keep you updated.
You always have the right to complain to the authorities as well, but because we take privacy matters very seriously, we would really appreciate it, if you would talk to us. The authority having the right to look at us, is the Danish Data Protection Agency. You can see further information on their webpage: https://www.datatilsynet.dk/.
You can complain about:
- how your personal data has been processed;
- how your request for access to data has been handled;
- how your complaint has been handled;
- appeal against any decision made following a complaint.
Our rules for collecting data
We take your privacy really seriously, so we’ll only ask for the information we need to have so we can give you great service.
Whenever we collect customer data, we make sure:
- We ask for permission to collect the data
- We only use the data for the agreed reason and for the time it’s needed
- We will as a minimum meet the local data protection laws in the country where we provide you with a service via our website or our applications.
- We keep data that we’re legally required to have on record
- We explain why we need the data and how we’ll use it (unless we have legitimate reason not to)
- We check and update privacy information on a regular basis (we might also cross-check the data against other database to make sure it’s correct)
- We don’t share data with anyone unless we have a legal or legitimate reason, or we have permission from you or if you are a child under 16 from your parents.
Collecting data in our online channels
We collect your personal and anonymous information from you when you visit any of the sites on our LEGO.com domain or when you use one of our applications. When you visit our online channels, you’ll be able to check if we’re collecting data under terms and conditions of the site.
We also receive information via third party when you visit our page on social media sites or channels (e.g Facebook, Twitter, Youtube, Instagram, Wechat etc).
Types of personal information we collect
When you’re visiting any of these online channels, we may collect:
- Registration information that we use to help you set up an account (e.g. your name, country, gender, date of birth, email address, username and password).
- Payment or transactional information that we use when you buy products or use online services (e.g. postal address, phone number or credit card number).
- Location information or your IP Address that we use to give you relevant online content.
- Information you’ve shared publicly on our forums.
- Information you’ve sent to an individual or group using our messaging, chat or post services
- Information you provide when you use our own online channels or third-party channels (such as social networks) or if you link your LEGO registration account to a third-party platform.
Why we need to process personal data
As we’re a global company that sells toys directly to customers and offers many different experiences for our fans, we need to process personal customer data, so that:
- Customers can buy products from our online LEGO Shop and have them delivered where they want
- Customers are able register for any accounts and services they want to use
- Customers can use the online and offline LEGO experiences we’ve created for them
- Customers can share information on our public forums
- We can send customers any information they’ve asked us for or answer their questions
- We can ask customers to give us feedback on our services through questionnaires and surveys
- We can provide our customers with relevant marketing information about our products.
Always keep in mind, that if you’re using a LEGO service through a third-party channel like social media or a LEGO app, your personal data may also be processed by that third-party according to their own privacy processes.
We may use automated decision making in processing your personal information for some services and products. An example is our fraud prevention and detection efforts on shop.LEGO.com. You can request a manual review of the accuracy of an automated decision if you are unhappy with it.
How we process personal data
When you visit our online channels or when you use third-party sites or platforms, we use technology such as cookies, flash cookies, pixls and web beacons to process your personal data.
Be mindful that if you do enable a prevent cookies functionality on your device, some of our services and functionalities on the site will no longer work.
We also collect information from other trusted sources, so we can update or add to the personal information we’ve collected ourselves.
Sharing information with trusted subsidiaries (other LEGO companies)
Our subsidiaries (the other companies in the LEGO Group) may sometimes need to access your information to provide services to you on our behalf. Because the LEGO Group is passionate about your privacy, we have made a decision to implement the same privacy protection all over the world, so you can feel safe no matter which LEGO Group company is using your data. Legally, other LEGO Group companies will then be acting as ‘data processors’ and will be subject to data processing laws. They need your personal data so they can:
- Deliver products and services you’ve requested
- Get in touch with you about your account or transactions
- Send you information about our sites, applications and policies
- Send you any newsletters you’ve signed up for (you can unsubscribe at any time)
- Process information that the subsidiary is formally contracted to process on our behalf, e.g. carry out a purchase placed by you, manage your LEGO ID account activity or your VIP account data.
- Identify, review and stop any activities that could breach our policies or break the law
Sharing information on public forums and chat
As our public forums and chat services can be read by everyone, any personal information you share on them can be seen publicly. If you’d like us to remove any of your personal information from public areas of the site, please email our Customer Service. If we can’t remove your personal information for any reason, we’ll let you know why. If you’re under 16 years old, you’ll need the permission of a parent or guardian to use our public forums or chat features.
Sharing your LEGO ID
Sharing information on Social Media (Features) and Widgets
Sharing information with other companies
Please see our category list of trusted third parties that we may share your information with here.
We won’t share your personal information outside the LEGO Group except:
- When we need to protect the safety, security, rights and property of our customers or third-party partners;
- When we need to meet legal processes or if disclosure of the data is required by law;
- When we’re asking other companies like e.g. couriers, shipping and warehouse service provides, payment providers, IT platform providers, fraud detection and prevention providers, survey providers, product catalogue providers and customer service suppliers to deliver services on our behalf; We have contracts with the companies to make sure they only use your personal information for agreed services and meet legal requirements;
- When we store your information using secure cloud storage services/facilities. We have contracts with companies to make sure they only use your personal information for the agreed services and meet legal requirements;
- If a merger, acquisition or sale of assets ever meant we needed to share information with a third party - in this case we’d email you and post a notice on our website to publish the change of owner and we’d also tell you how your data would be used and give you options regarding your personal data;
- When you’ve given us permission to share your information with third parties so they can send you information on their products and promotions (you can opt out of these emails by contacting our LEGO Customer Service team although in some cases you may also need to contact the third-party directly);
- When you have given us permission to share your information with third parties, so they can provide you with marketing information and promotions regarding our products (as an example personalised advertising provided via a social media platform). You can opt out of such marketing activities by adjusting your cookie settings on your device. In some cases, you may also need to contact the third party directly (in case of social media adjust your privacy settings and request deletion of collected information by the third-party site)
- When you’ve asked us to share your personal information with third-party sites or platforms like social networking sites – once it’s been shared, your personal data will be processed by that third-party according to their own privacy processes
How long do we keep your personal information
We’ll keep your personal information as long as your account is active or as long as it’s needed to provide a service. We have so called retention polices for each of the categories of personal information that we process.
If you’d like to cancel your account or for us to delete your data, we’ll only keep information that we need for legal reasons, to resolve disputes or to enforce our agreements.
Cookies are small data files that your browser places on your computer or device. A cookie itself does not contain or collect information. However, when it is read by a server via a web browser it can help a website deliver a more user-friendly service – for example, remembering previous purchases or account details.
Like most websites, our online channels and our applications (apps) collect some information (e.g. information on IP addresses, browsers, internet service providers, referring pages, exit pages, operating systems, date stamps, time stamps and clickstream data). This information won’t be linked to any other information we collect about you unless you have given your consent that we may do this.
Keeping children safe online
We care deeply about making sure children are safe online and have extra privacy processes in place to make sure we’re keeping our younger fans safe when they’re using our online channels. In fact, some features have age gates so to prevent children from inadvertently using such features. We also take all reasonable care to secure that we don’t knowingly collect, store, use or process personal information from children who may use those features without proper parental consent.
We’ve joined a digital child safety program which audits our company on a yearly basis to make sure we follow the rules in the way interact with children online.
We also follow all relevant laws for children aged between 13 and 18 and when it comes to personal data, we consider anyone under the age of 16 years a child
TrustArc Privacy Seal
When we do process personal information from children, we take extra steps to protect their privacy including:
- Making sure we tell parents what personal information we collect, store, use and process from their child and explaining whether we share the information
- Meeting legal requirements by asking for parental consent to collect, use and process a child’s data and asking for consent to send their children information about our products and services
- Limiting how we collect, store, use and process personal information from children so only data that is reasonably needed for them to take part in an online activity is collected
- Giving parents access or the option to ask for access to personal information we’ve collected from their child – parents can also ask for their children’s personal information to be changed or deleted
Collecting and using children’s information
While some of our websites, channels and apps are designed with families and users of all ages in mind, others are intended to be used mainly by children. Whenever we collect personal information from a child, we only keep the information for the time we need it to provide a service or for the time it’s legally required to be kept on record.
While children can choose whether to share their information with us, there are features of our websites that won’t function if they haven’t given us their information. Where personal information is needed for features to function, we’ll only ask for information that is reasonably required to take part in the activity.
Here are some examples of times when we collect children’s data:
- When children register online
Children can register on our websites to access a variety of services including content, games and competitions. During registration, we may ask a child to provide their parent’s or guardian’s name, their email address, their first name, gender, their birth date, their username and password. We use this information for security and notification reasons. We strongly encourage children to create a username that excludes any personal information.
- When children share content they’ve created themselves
Some of our websites allow children to create or use content themselves. Since only some of these features require personal information from the child, not all activities require consent from a parent or guardian. Whenever an activity could potentially allow a child to share personal information, we either review the content ourselves and make sure personal information is removed or ask for permission from a parent or guardian to collect the data. Types of personal data that children have shared with us in the past include stories, free-text fields, drawings, photographs, sound clips, movie files or any type of content that clearly identifies the child in some way. If, as well as collecting content that includes personal information, we also plan to share the content publicly or with a third party for their own use, we’ll ask the parent or guardian for ‘verifiable parental consent’ (which is a higher level of parental consent).
- When children enter contests and sweepstakes
If a child wants to enter a competition, we ask for the personal information we need for a child to take part. We usually only ask for the child’s first name (so we can tell the difference between children from the same family) and the email address of a parent or guardian (so we meet legal requirements to notify the responsible adult). We’ll only contact the parent if the child wins the contest or sweepstake to find out where to send the prize. If the competition asks the child to create content to enter, we may need to ask for parental consent by email in advance to ensure we meet the privacy requirements for content children have created themselves (please see the information above about children creating content). Without consent, children won’t be able to take part in our competitions.
- When children receive emails from us
We may need ask for their child’s contact details (including their email address) so that we can reply to a question they’ve asked us. To meet legislative requirements around the world, we’ll delete any information we have on the child as soon as the reply’s been sent. If we need to get in touch with the child a second time, for example to reply to additional questions, we would request an email address from their parent or guardian. We’d then only keep the child’s online contact information for the time it takes us to honour their request and wouldn’t use the information for any other purpose. If we ever need a child’s online contact information for ongoing communication, we’d ask for the parent’s or guardian’s email address at the earliest opportunity so that we can keep the adult informed of the data we’re collecting and to give the parent an option to ask us to stop collecting data. Parents or guardians can opt out of any communication we have with their child at any time by following the unsubscribe instructions within each communication (if there is more than one type of communication, the adult may need to opt out of each individually). Alternatively, they can contact our LEGO Customer Service team.
- When children receive app push notifications
Many apps send users ‘push notifications’ to their customers’ mobile phones or devices to tell them about updates (sometimes even when the app is not in use). Some of our apps are designed to be used by children. We ask children to provide the email address of their parent or guardian, so we can tell the adult about their child’s request before we send children push notifications from our apps. We don’t link the device identifier with any other personal information without parental consent. If you would like your child to stop receiving push notifications from one of apps, you can change the settings on the device your child’s using at any time.
- When we collect location information
Some of our websites, channels and apps are designed for children. We request consent from a parent or guardian by email before collecting information on a child’s street name, address or coordinates. We do that because such information will effectively make us able to identify a specific child. As an opposite, we don’t require parental consent to collect information on a child’s city, country or region as long as it isn’t linked directly to the specific child. The reason for this, is that such generic information will not make us able to identify a specific child. If you would like to stop us collecting this type of location information, you can adjust the settings on the device your child is using at any time. Alternatively, please contact our LEGO Customer Service team.
- When we collect ‘persistent identifiers’
What if we accidentally collect children’s data?
If we discover that we’ve unintentionally collected information from a child in a way that doesn’t meet COPPA requirements, we’ll either delete the information or immediately ask for parent or guardian consent for the collection of the data.
Requesting parental consent
Asking for low-level consent by email
If we need to collect a child’s personal information, we’ll ask for parental consent according to COPPA legal requirements. We’ll send the child’s parent or guardian an email explaining what information we’re collecting, how we plan to use it and ask the parent to give or deny their consent. If we don’t receive parental consent in a reasonable time, we’ll delete all information we’ve collected from the child including the adult’s contact information that we asked for in order to request consent.
Asking for high-level ‘verifiable consent’
If we want to share a child’s personal information publicly or with a third party, we’ll seek a higher level of parental consent than the email request described above. We may ask for verification by credit card or other payment method (with a nominal charge involved), verification over the phone, a video chat or a signed consent form to be returned to us by mail, email attachment or fax. We may give the parent a guardian a PIN or password that they’ll be able to use in future communications to confirm the adult’s identity.
What if a parent or guardian hasn’t been contacted for consent?
If a child of 15 years old or younger accesses an online channel that’s designed for children by using an age gate, we’ll email the child’s parent or guardian before collecting any personal information on the child. If you think that your child is taking part in an online activity that collects their personal information and you or another parent/guardian hasn’t received an email letting you know or seeking you consent, please contact our Data Privacy Officer at email@example.com. We won’t use email addresses provided for parental consent for any other purpose unless the adult has expressly opted in to marketing emails or taken part in an activity which allows email contact.
Parental choices and controls
At any time, parents or guardians can refuse to allow us to use and collect further personal information from their child. Parents or guardians can ask us to delete the personal information we have collected in connection with their child’s account from our records. As personal information is required for some services, deleting a child’s records may result in an account, membership, or service being unavailable to the child in future.
If a child has a registered LEGO ID, parents or guardians can access, change or delete the personal information we’ve collected from their child by:
- Using their child’s username and password to log into their child’s LEGO ID account
- Getting in touch with our LEGO Customer Service team
If you’d prefer to contact us, please let us know your child’s username along with the your own telephone number and email address. We’ll need to confirm your identity as the parent or guardian of the child before granting access to the child’s personal information.
If we make material changes to how we use Personal Information collected from a child under the age of 16, we’ll tell their parent or guardian by email and ask for ‘verifiable parental consent’ for the new uses of the child's personal information.
Sharing information we have consent to share with others
If we’ve received high-level parental consent to share a child’s personal information publicly, we may also share personal information with our service provides or legal authorities. We may share information with our service providers including software solution companies, online security partners and customer services. Our contracts with these companies make sure they only use personal data for the agreed purpose.
We may share personal information to meet legal processes or if disclosure is required by law. As allowed by relevant laws, we may also share personal information collected from children to:
- Comply with a request from to a law enforcement or public agency (including schools or children services) or to avoid liability
- Make a disclosure that we believe may stop a crime being committed
- Help an investigation related to public safety
- Protect the safety of a child who’s using our online channels
- Protect the technology of our service providers or security of our online channels themselves
Parents have the right to consent to the collection, use and processing of their child’s personal information without also having to consent to the disclosure of that information to third parties. We don’t share information with third parties other than as described above.
We define LEGO Partners as other companies doing business with the LEGO Group. We process information on our LEGO Partner companies for collaboration and evaluation purposes.
Data security and integrity
The security, integrity and confidentiality of customer information is extremely important to us. We use technical, administrative and physical security measures to protect personal information from unauthorized access, disclosure, use and modification. All external transfers that contain personal information are done using encrypted technology. Credit card information is handled by approved service providers that meet PCI (Payment Card Industry) standards and have appropriate safeguards in place.
Although we regularly review our security procedures and evaluate new technology and methods to make our online channels safer, no security measures are perfect or impenetrable.
Our customers, employees and partners also play an important role in protecting information. We encourage customers to choose passwords that are difficult for others to guess and to keep their personal passwords secret.
Should you notice any flaws or concerns in our security, please contact our LEGO Customer Service team as soon as possible.
If we ever experience a data breach in which customer information is at risk of being misused, we’ll contact customers according to legal requirements. If necessary, we’ll also contact data protection authorities.
Data transfers, storage and processing globally
The Binding Corporate Rules provide the highest security to you when it comes to how your information is processed.
Binding Corporate Rules and local legal requirements
We want to make sure we as a minimum use the standards of data privacy and security that follows from the European General Data Protection Regulation (“GDPR”) anywhere in the world where we collect, store, use or share your personal data. Where your local rules require more from us than that, we will adjust our practice to make sure your data is safe with us no matter where in the world you are! To bind us to that promise we have implemented something called with effect from [June/2016?) ‘Binding Corporate Rules. These rules are set by European data authorities across the European Union (EU) and set the some of the highest standards in the world on data collection, storage, use and sharing.
- We generally collect personal information directly from you where this is reasonable and practical, but may also acquire information from other trusted sources to update or supplement the personal information you provided or which we processed automatically.
- We may also use your personal information to tell you about the products and services of the LEGO Group or third parties. From time to time, we and our LEGO Group entities and business partners may contact you by mail, telephone, email or other electronic messaging services (such as text, voice, sound or image messages including using automated calling systems) with information about products and services (including discounts and special offers). If you no longer wish to receive marketing or promotional information from us and our LEGO Group entities or our partners, you can unsubscribe at any time. There are certain messages relating to the goods and services we provide to you that cannot be unsubscribed from.
- Should the LEGO Group experience a data breach and your information be involved, we will contact you if there is a risk of serious harm to you and if we are legally obliged to do so. In some instances the LEGO Group will also be legally obliged to contact (data protection) authorities when a breach of privacy information occurs.
- We will take such steps that are reasonable in the circumstances (if any) to destroy or de-identify personal information when it is no longer required.
Third party vendor categories
The LEGO Group works with several trusted partners to secure that we provide you, our business partners and our employees with the best experience possible. This means that we will at times need to allow third parties to process personal data.
To give you an overview we have categorised the type of vendors we use and what we use them for on a category basis.
However, if you wish to know what cookies we are placing on your devices – please look at our detailed third- party cookie list.
We process personal data with vendors in the following categories:
IT Service providers - we use a series of trusted partners world wide to provide us with IT services and system administration services - in regards to both our customer and partner facing activities as well as our internal IT and administration systems.
Global payment provider and processing partners - to secure a safe and efficient payment process both online, in our stores or through invoicing or money transfers.
Cloud storage partners - we store our and your data at secure data centres around the world.
Fraud Prevention and detection partners and agencies – working with the LEGO Group world wide to secure that the LEGO Group is not defrauded.
Warehousing, packing, shipping and delivery partners – helping us get our products into the hands of our customers and business partners around the world.
Catalogue printing and mailing and postal partners - helping us making sure catalogues and magazines come your way.
Marketing partners – to be able to provide targeted and personalise advertisements, promotions and campaigns both when you are interacting with LEGO on our online platforms, on social media, instore or otherwise.
Social Media Partners – to be present and allow you to interact with the LEGO Group on the platforms where you are.
Survey, questionnaires and product review suppliers - helping us secure that we get your all-important feedback of your LEGO® experience!
Tax and customs authorities, regulators and other authorities globally - who require reporting of processing activities in certain circumstances.
Professional advisers - including lawyers, bankers, auditors and insurers globally, who provide consultancy, banking, legal, insurance and accounting services to the LEGO Group.