Last Modified: June 20, 2018
So, if you’re looking for more information on how we collect, store, use and share your personal data we collect, this is the place for you!
Now to start us off with, a couple of practical but highly important details for you to take note of!
The LEGO Group is made up by several different legal entities spread around the world. Read more about the LEGO Group at LEGO.com/aboutus.
LEGO System A/S
Att: Data Protection Officer
Or by email: privacy.officer@LEGO.com
Telephone: +44 1 753 826 000
Please include your name and if you know it, the relevant LEGO Group company. If you don’t have that information, it’s absolutely fine and we will then, treat your request as if it the question relates directly to LEGO System A/S.
At any point while we are in possession of or processing your personal data, you have the following rights:
One thing to bear in mind before contacting us. Our sites and applications may contain links to other sites not owned or controlled by us. It could as an example be social media platforms/services. We are not responsible for the privacy practices of those sites, so if you have questions regarding such sites, you need to contact the site directly. We also really encourage you to be aware and read the privacy policies of other sites because they may very easily be collecting, storing, using and sharing your personal information.
You have the right to complain if you don’t feel the LEGO Group is living up to our responsibilities when it comes to your data.
We have a Global Data Protection Officer at the LEGO Group, who takes your complaint very serious. You can contact our Global Data Protection Officer on this email firstname.lastname@example.org. We will send you a confirmation within 5 days and do our very best to deal with the issue within 1 month. If the issue is difficult or requires a lot of work it may take longer, but we will keep you updated.
You always have the right to complain to the authorities as well, but because we take privacy matters very seriously, we would really appreciate it, if you would talk to us. The authority having the right to look at us, is the Danish Data Protection Agency. You can see further information on the webpage Datatilsynet.dk.
You can complain about:
We take your privacy really seriously, so we’ll only ask for the information we need to have so we can give you great service.
Whenever we collect customer data, we make sure:
We collect your personal and anonymous information from you when you visit any of the sites on our LEGO.com domain or when you use one of our applications. When you visit our online channels, you’ll be able to check if we’re collecting data under terms and conditions of the site.
We also receive information via third party when you visit our page on social media sites or channels (e.g Facebook, Twitter, Youtube, Instagram, Wechat etc).
When you’re visiting any of these online channels, we may collect:
As we’re a global company that sells toys directly to customers and offers many different experiences for our fans, we need to process personal customer data, so that:
Always keep in mind, that if you’re using a LEGO service through a third-party channel like social media or a LEGO app, your personal data may also be processed by that third-party according to their own privacy processes.
We may use automated decision making in processing your personal information for some services and products. An example is our fraud prevention and detection efforts on shop.LEGO.com. You can request a manual review of the accuracy of an automated decision if you are unhappy with it.
When you visit our online channels or when you use third-party sites or platforms, we use technology such as cookies, flash cookies, pixels and web beacons to process your personal data.
Be mindful that if you do enable a prevent cookies functionality on your device, some of our services and functionalities on the site will no longer work.
We also collect information from other trusted sources, so we can update or add to the personal information we’ve collected ourselves.
Our subsidiaries (the other companies in the LEGO Group) may sometimes need to access your information to provide services to you on our behalf. Because the LEGO Group is passionate about your privacy, we have made a decision to implement the same privacy protection all over the world, so you can feel safe no matter which LEGO Group company is using your data. Legally, other LEGO Group companies will then be acting as ‘data processors’ and will be subject to data processing laws. They need your personal data so they can:
As our public forums and chat services can be read by everyone, any personal information you share on them can be seen publicly. If you’d like us to remove any of your personal information from public areas of the site, please contact our Costumer Service at LEGO.com/service. If we can’t remove your personal information for any reason, we’ll let you know why. If you’re under 16 years old, you’ll need the permission of a parent or guardian to use our public forums or chat features.
Please see our category list of trusted third parties that we may share your information with here.
We won’t share your personal information outside the LEGO Group except:
We’ll keep your personal information as long as your account is active or as long as it’s needed to provide a service. We have so called retention polices for each of the categories of personal information that we process.
If you’d like to cancel your account or for us to delete your data, we’ll only keep information that we need for legal reasons, to resolve disputes or to enforce our agreements.
Cookies are small data files that your browser places on your computer or device. A cookie itself does not contain or collect information. However, when it is read by a server via a web browser it can help a website deliver a more user-friendly service – for example, remembering previous purchases or account details.
Like most websites, our online channels and our applications (apps) collect some information (e.g. information on IP addresses, browsers, internet service providers, referring pages, exit pages, operating systems, date stamps, time stamps and clickstream data). This information won’t be linked to any other information we collect about you unless you have given your consent that we may do this.
We care deeply about making sure children are safe online and have extra privacy processes in place to make sure we’re keeping our younger fans safe when they’re using our online channels. In fact, some features have age gates so to prevent children from inadvertently using such features. We also take all reasonable care to secure that we don’t knowingly collect, store, use or process personal information from children who may use those features without proper parental consent.
We’ve joined a digital child safety program which audits our company on a yearly basis to make sure we follow the rules in the way interact with children online.
We also follow all relevant laws for children aged between 13 and 18 and when it comes to personal data, we consider anyone under the age of 16 years a child
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at Feedback-form.truste.com/watchdog/request. To view a list of properties covered by our Dispute Resolution provider, please click the seal located at the top of this section.
When we do process personal information from children, we take extra steps to protect their privacy including:
While some of our websites, channels and apps are designed with families and users of all ages in mind, others are intended to be used mainly by children. Whenever we collect personal information from a child, we only keep the information for the time we need it to provide a service or for the time it’s legally required to be kept on record.
While children can choose whether to share their information with us, there are features of our websites that won’t function if they haven’t given us their information. Where personal information is needed for features to function, we’ll only ask for information that is reasonably required to take part in the activity.
Here are some examples of times when we collect children’s data:
Children can register on our websites to access a variety of services including content, games and competitions. During registration, we may ask a child to provide their parent’s or guardian’s email address, the child’s first name, gender, their birth date, their username and password. We use this information for security and notification reasons. We strongly encourage children to create a username that excludes any personal information.
Some of our websites allow children to create or use content themselves. Since only some of these features require personal information from the child, not all activities require consent from a parent or guardian. Whenever an activity could potentially allow a child to share personal information, we either review the content ourselves and make sure personal information is removed or ask for permission from a parent or guardian to collect the data. Types of personal data that children have shared with us in the past include stories, free-text fields, drawings that allow text or free-hand entry of information, photographs of your child, sound clips, movie files or any type of content or other persistent identifiers that clearly identifies the child in some way. If, as well as collecting content that includes personal information, we also plan to share the content publicly or with a third party for their own use, we’ll ask the parent or guardian for ‘verifiable parental consent’ (which is a higher level of parental consent).
If a child wants to enter a competition, we ask for the personal information we need for a child to take part. We usually only ask for the child’s first name (so we can tell the difference between children from the same family) and the email address of a parent or guardian (so we meet legal requirements to notify the responsible adult). We’ll only contact the parent if the child wins the contest or sweepstake to find out where to send the prize. If the competition asks the child to create content to enter, we may need to ask for parental consent by email in advance to ensure we meet the privacy requirements for content children have created themselves (please see the information above about children creating content). Without consent, children won’t be able to take part in our competitions.
We may need ask for their child’s contact details (including their email address) so that we can reply to a question they’ve asked us. To meet legislative requirements around the world, we’ll delete any information we have on the child as soon as the reply’s been sent. If we need to get in touch with the child a second time, for example to reply to additional questions, we would request an email address from their parent or guardian. We’d then only keep the child’s online contact information for the time it takes us to honor their request and wouldn’t use the information for any other purpose. If we ever need a child’s online contact information for ongoing communication, we’d ask for the parent’s or guardian’s email address at the earliest opportunity so that we can keep the adult informed of the data we’re collecting and to give the parent an option to ask us to stop collecting data. Parents or guardians can opt out of any communication we have with their child at any time by following the unsubscribe instructions within each communication (if there is more than one type of communication, the adult may need to opt out of each individually). Alternatively, they can contact our LEGO Customer Service team.
Many apps send users ‘push notifications’ to their customers’ mobile phones or devices to tell them about updates (sometimes even when the app is not in use). Some of our apps are designed to be used by children. We ask children to provide the email address of their parent or guardian, so we can tell the adult about their child’s request before we send children push notifications from our apps. We don’t link the device identifier with any other personal information without parental consent. If you would like your child to stop receiving push notifications from one of apps, you can change the settings on the device your child’s using at any time.
Some of our websites, channels and apps are designed for children. We request consent from a parent or guardian by email before collecting information on a child’s street name, address or coordinates. We do that because such information will effectively make us able to identify a specific child. As an opposite, we don’t require parental consent to collect information on a child’s city, country or region as long as it isn’t linked directly to the specific child. The reason for this, is that such generic information will not make us able to identify a specific child. If you would like to stop us collecting this type of location information, you can adjust the settings on the device your child is using at any time. Alternatively, please contact our LEGO Customer Service team.
If we discover that we’ve unintentionally collected information from a child in a way that doesn’t meet COPPA requirements, we will delete the information immediately.
If we need to collect a child’s personal information, we’ll ask for parental consent according to COPPA legal requirements. We’ll send the child’s parent or guardian an email explaining what information we’re collecting, how we plan to use it and ask the parent to give or deny their consent. If we don’t receive parental consent in a reasonable time, we’ll delete all information we’ve collected from the child including the adult’s contact information that we asked for in order to request consent.
If we want to share a child’s personal information publicly or with a third party, we’ll seek a higher level of parental consent than the email request described above. We may ask for verification by credit card or other payment method (with a nominal charge involved), verification over the phone or through a video chat to a trained customer service representative or a signed consent form to be returned to us by mail, email attachment or fax. We may give the parent a guardian a PIN or password that they’ll be able to use in future communications to confirm the adult’s identity.
If a child under the age of 16 accesses an online channel that’s designed for children by using an age gate, we’ll email the child’s parent or guardian before collecting any personal information from the child. If you think that your child is taking part in an online activity that collects their personal information and you or another parent/guardian hasn’t received an email letting you know or seeking your consent, please contact our Data Privacy Officer at email@example.com. We won’t use email addresses provided for parental consent for any other purpose unless the adult has expressly opted in to marketing emails or taken part in an activity which allows email contact.
At any time, parents or guardians can refuse to allow us to use and collect further personal information from their child. Parents or guardians can ask us to delete the personal information we have collected in connection with their child’s account from our records. As personal information is required for some services, deleting a child’s records may result in an account, membership, or service being unavailable to the child in future.
If a child has a registered LEGO ID, parents or guardians can access, change or delete the personal information we’ve collected from their child by:
If you’d prefer to contact us, please let us know your child’s username along with the your own telephone number and email address. We’ll need to confirm your identity as the parent or guardian of the child before granting access to the child’s personal information. We will respond to your request within a reasonable timeframe.
If we make material changes to how we use Personal Information collected from a child under the age of 16, we’ll tell their parent or guardian by email and ask for ‘verifiable parental consent’ for the new uses of the child’s personal information.
If we’ve received high-level parental consent to share a child’s personal information publicly, we may also share personal information with our service provides or legal authorities. We may share information with our service providers including software solution companies, online security partners and customer services. Our contracts with these companies make sure they only use personal data for the agreed purpose.
We may share personal information to meet legal processes or if disclosure is required by law. As allowed by relevant laws, we may also share personal information collected from children to:
Parents have the right to consent to the collection, use and processing of their child’s personal information without also having to consent to the disclosure of that information to third parties. We don’t share information with third parties other than as described above.
We define LEGO Partners as other companies doing business with the LEGO Group. We process information on our LEGO Partner companies for collaboration and evaluation purposes.
The security, integrity and confidentiality of customer information is extremely important to us. We use technical, administrative and physical security measures to protect personal information from unauthorized access, disclosure, use and modification. All external transfers that contain personal information are done using encrypted technology. Credit card information is handled by approved service providers that meet PCI (Payment Card Industry) standards and have appropriate safeguards in place.
Although we regularly review our security procedures and evaluate new technology and methods to make our online channels safer, no security measures are perfect or impenetrable.
Our customers, employees and partners also play an important role in protecting information. We encourage customers to choose passwords that are difficult for others to guess and to keep their personal passwords secret.
Should you notice any flaws or concerns in our security, please contact our LEGO Customer Service team as soon as possible.
If we ever experience a data breach in which customer information is at risk of being misused, we’ll contact customers according to legal requirements. If necessary, we’ll also contact data protection authorities.
The Binding Corporate Rules provide the highest security to you when it comes to how your information is processed.
We want to make sure we as a minimum use the standards of data privacy and security that follows from the European General Data Protection Regulation (“GDPR”) anywhere in the world where we collect, store, use or share your personal data. Where your local rules require more from us than that, we will adjust our practice to make sure your data is safe with us no matter where in the world you are! To bind us to that promise we have implemented something called with Binding Corporate Rules with effect from June/2016 ‘Binding Corporate Rules. These rules are set by European data authorities across the European Union (EU) and set the some of the highest standards in the world on data collection, storage, use and sharing.
We generally collect personal information directly from you where this is reasonable and practical but may also acquire information from other trusted sources to update or supplement the personal information you provided or which we processed automatically.
The LEGO Group works with several trusted partners to secure that we provide you, our business partners and our employees with the best experience possible. This means that we will at times need to allow third parties to process personal data.
To give you an overview we have categorized the type of vendors we use and what we use them for on a category basis.
However, if you wish to know what cookies we are placing on your devices – please look at our detailed third- party cookie list.
We use a series of trusted partners world wide to provide us with IT services and system administration services - in regards to both our customer and partner facing activities as well as our internal IT and administration systems.
To secure a safe and efficient payment process both online, in our stores or through invoicing or money transfers.
We store our and your data at secure data centers around the world.
Working with the LEGO Group world wide to secure that the LEGO Group is not defrauded.
Helping us get our products into the hands of our customers and business partners around the world.
Helping us making sure catalogues and magazines come your way.
To be able to provide targeted and personalize advertisements, promotions and campaigns both when you are interacting with LEGO on our online platforms, on social media, instore or otherwise.
To be present and allow you to interact with the LEGO Group on the platforms where you are.
Helping us secure that we get your all-important feedback of your LEGO® experience!
Who require reporting of processing activities in certain circumstances.
Including lawyers, bankers, auditors and insurers globally, who provide consultancy, banking, legal, insurance and accounting services to the LEGO Group.