Privacy Policy

Last Modified: February 8, 2024

IMPORTANT ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS

SECTION 1: DATA PRIVACY LAW AND YOUR DIGITAL RIGHTS

What is this Policy all about?

Welcome to our Privacy Policy! It’s great that you’d like to know more about how we keep your information safe. This policy will give you information about how we look after your personal data when you visit or use our services or our applications (apps). The Privacy Policy also tells you about your privacy rights and how the law protects you. Finally, this Privacy Policy covers both our online and offline data collection activities, including personal data that we may collect through our various channels such as websites, apps, third party social networks, retail stores, points of sales and events.

This is our overall Privacy Policy. For some jurisdictions, additional country/state specific provisions apply. Click here to be directed to the specific provisions.

In other words, if you’re looking for more information on how we collect, store, use and share your personal data, this is the place for you!

Who is responsible for your personal data?

The LEGO Group is made up by several different legal entities spread around the world. You can read more about the LEGO Group here https://www.lego.com/aboutus.

This Privacy Policy is issued on behalf of all the companies in the LEGO Group where LEGO System A/S is the data controller (the one responsible and in charge of the data). In some circumstances a local LEGO Group entity has identified their own data controller for their local country where local processing is taking place. For the purposes of this Privacy Policy when we use “we”, “us” or “our” in this Policy, we are talking about LEGO System A/S.

We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Policy, please contact us. You can also send a letter to the DPO at:

   LEGO System A/S
   Aastvej 1,
   7190 Billund,
   Denmark
   Att: DPO

Please include your name and country to which your inquiry relates.

Your privacy rights

As a data subject you have the following rights in respect of the personal data we hold on you:

  • Request access to your personal data. You have a right to access the personal data we are keeping about you. In many cases this information is already present to you in your online services from us. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for the LEGO Group’s business practices, know-how, business secrets and internal assessments.

  • Request correction of incorrect or incomplete data. If the data we have pertaining to you are incorrect or incomplete, you are entitled to have the data corrected, with the restrictions that follow from legislation.

  • Request erasure You have the right to request deletion of your data when:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. you withdraw your consent to the processing and there is no other legitimate reason for processing;
  3. you object to the processing and there is no justified reason for continuing the processing;
  4. or the processing is unlawful

Please note that, in certain circumstances, we may be required to retain some of your personal data after you have requested deletion to satisfy our legal or contractual obligations. We may also be permitted by applicable laws to retain some of your personal data to satisfy our business needs.

  • Limitation of processing of personal data. If you contest the correctness of the data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of this data. The processing will be restricted to storage only, until the correctness of the data can be established, or it can be checked whether our legitimate interests override your interests. Even when processing of your data has been restricted as described above, the LEGO Group may process your data in other ways if this is necessary to enforce a legal claim or to process previously collected data if you have earlier given your consent.
  • Object to processing based on our legitimate interest. You can always object to the processing of personal data about you which is based on legitimate interest. If we are processing your data for direct marketing and profiling in connection to such marketing, your objection will always be sustained. For objections to processing for other purposes, we will conduct a legitimate interest balancing test and consider whether to support your objection.
  • Data portability. You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means and on the basis of consent or of fulfilling a contract.
  • Other rights. You have the right to lodge a complaint with The Danish Data Protection Agency, if you are dissatisfied with the way we process your personal data. You will find the Danish Data Protection Agency’s contact information at www.datatilsynet.dk.

Further information: updates

If we change the way we handle your personal data, we will update this Privacy Policy. We reserve the right to make changes to our practices and this Privacy Policy at any time, so please check back frequently to see any updates or changes to our Privacy Policy.


SECTION 2: PERSONAL DATA

What personal data does the LEGO Group collect?

Personal data is any information about a person from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, last name, username or similar unique identifier, marital status, title, date of birth and gender.
  • Contact Data includes billing address, delivery address, email address and telephone numbers or similar contact data.
  • Financial Data includes bank account and payment card details.
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, user ID, MAC ID and other technology on the devices you use to access this website.
  • Profile Data includes your username and password.
  • Purchaser Data includes purchases or orders made by you, services requested, rewards or benefits requested or used, your interests, preferences, and feedback or survey responses.
  • Usage Data includes information about how you use our website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties, participate in sweepstakes and other prize competitions and your communication preferences.
  • Tracking Data including data about what pages you visited prior to landing on our websites or where you traveled after visiting our website as well as how you interacted with emails or other messages sent to you by us (e.g. if you deleted or opened the email).

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data because this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

We use Pseudonymized Data in order to minimize the privacy impact to you.

Pseudonymization is a method that replaces or removes information in the dataset that identifies an individual but permits a data controller or third party to reidentify the personal data with reasonable effort. It is important to be aware that unlike anonymization, pseudonymization does not remove all identifying information from the data but reduces the linkability of a dataset with the identity of an individual.

We do not proactively collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, or genetic information, biometric data for identification purposes, or information about criminal convictions and offences.

If you fail to provide necessary personal data to us (we will let you know when this is the case, for example, by making this information clear in our registration forms), we may not be able to provide you with our goods and/or services.

How does the LEGO Group collect personal data from you?

We collect personal data from the following sources:

  • Websites includes any websites operated by or for the LEGO Group, including sites that we operate under our own domains/URLs and mini-sites that we run on third party social networks such as Facebook.
  • Mobile games/apps includes mobile games or applications operated by or for the LEGO Group, such as smartphone apps.
  • E-mail, text and other electronic messages includes electronic communications between you and the LEGO Group.
  • Customer Service includes calls or online chats with our Customer Service personnel.
  • Retail stores, which includes stores managed by or for the LEGO Group.
  • Online registration forms including LEGO® Insiders account registration, LEGO Life magazine subscriptions.
  • Offline registration forms includes printed registration and similar forms that we collect via, for example, postal mail, in-store demos, contests and other promotions, or events.
  • Online consumer contests and sweepstakes
  • Our LEGO® Insiders program including your activities within the program.
  • Research in which you and/or your children may participate, both in person and online.

Personal data the LEGO Group may collect from third parties

We may receive personal data about you from various third parties and public sources as set out below:

  • Technical Data from the following parties:
  1. analytics providers;
  2. advertising networks; and
  3. search information providers.
  • Contact, Financial and Transaction Data from providers of technical, payment and delivery services.
  • Identity and Contact Data from data brokers or aggregators.
  • Identity and Contact Data from publicly available sources.
  • Identity, Contact and Login Data from third parties who you have instructed to share data with us (for example, to sign- in to your LEGO account using a third-party game or social media service like Epic Games or Facebook).
  • Identity, Contact and Purchaser Data from retail and entertainment partners such as Merlin Entertainments and LEGO Certified Store partners.
  • Tracking Data from third party platforms such as social media platforms or search engines or websites such as partner websites or applications.

How does the LEGO Group use your personal data?

Purposes and legal bases for processing

LEGO® apps and online channels
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
Use a LEGO® app or online channel
  • Technical data
  • Usage data
  • Tracking data
  • Purchase data
  • Identity data
  • Profile data
  • Additionally, data is collected using cookies* on our apps or websites (to the extent you have consented to the use of cookies). See Section 3 of this Policy or our Cookie Policy for more information about how cookies work and what types of data they collect
  • If you want to set up a LEGO® Insiders Account for use on our apps and online channels, we process certain Identity Data, Contact Data and Profile Data, which is provided by you when signing up for a LEGO Insiders Account or editing your profile.
*If a child under the age of majority accesses an online channel that is designed for children by using an age gate, we will obtain parental consent before collecting any personal information from the child (see Section 4 in this Policy for further information)
  • To optimize the user experience and the functionality of our apps and
  • To deliver tailored marketing, including retargeting for users above the age of majority, if you have provided us with your consent (see our Cookie Declaration for more information)
  • For users above the age of majority, to deliver a tailored website content and experiences based on the data we have about you.
  • To improve and tailor your experience on our apps, websites, and services (like the LEGO® Insiders program and the LEGO.com Preference Center)
  • To ensure that content from our apps and websites is optimized for you and for your computer or device
  • To allow you to participate in interactive features when you choose to do so
  • To help you setup a LEGO® Insiders Account
  • To verify and document that the creator of a LEGO® Insiders Account is not a child under the age of 16.
  • To be able to generate statistics and insights based on Aggregated Data to understand the health of our business and measuring the effectiveness of our advertising campaigns and promotions
  • To give adult users relevant marketing both when engaging with us in our own channels as well as via third party channels (e.g. social media, search sites, market places)
  • To find recruit potential new customers that look like our current customers
  • Your consent, art. 6(1)(a), GDPR, in connection with our use of cookies (to the extent such consent is provided)
  • Your consent, art 6(1) (a), GDPR in connection to delivering a tailored website experience.
  • Legitimate interest, art. 6(1)(f), GDPR. Our legitimate interest is to be able to optimize and improve our apps and online channels, to be as relevant to our adult consumers as possible in our marketing efforts both in our own channels as well as in third party channels;, to ensure that our apps and websites are running smoothly for consumers, and to ensure that we process no personal data of a child under the age of 16 without parental consent.

Order fulfillment
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
Place an order with us
  • Identity Data and Contact Data
  • Purchaser Data
  • Financial Data
  • If you want to setup a LEGO® Insiders Account for use on our apps and online channels, we process certain Identity Data, Contact Data and Profile Data, which is provided by you when signing up for a LEGO® Insiders Account or editing your profile.
  • Transaction Data
  • Technical Data
  • To fulfil the purchasing agreement made with you, which includes processing and shipping your orders and administering your rights to return goods or file a complaint
  • To be compliant with legislation concerning e.g., product recalls, bookkeeping and consumer rights
  • To know who our shoppers are
  • To allow you to store your Payment Data, Identity Data and Contact Data or similar for ease of future purchases or interactions with us
  • To conduct fraud prevention activities
  • Performance of a contract, art. 6(1)(b), GDPR, in relation to our mutual purchasing agreement
  • Legal obligation, art. 6(1)(c), GDPR, in relation to our compliance with legislation concerning e.g., product recalls, bookkeeping and consumer rights
  • Legitimate interest, art. 6(q) (f) GDPR. Our legitimate interest in knowing our shoppers and provide them with a seamless shopping experience
  • Legitimate interest, art. 6(1)(f), GDPR. Our legitimate interest is to prevent fraudulent activities in connection with purchases made on our websites

Customer support
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
Interact with our customer support functions
  • Identity Data and Contact Data
  • Transaction Data
  • Usage Data
  • Technical Data and Information about technical issues
  • Product questions/complaints
  • Feedback (e.g., relayed via our communication channels or social media)
  • General questions
  • Other information or content regarding the reason for your inquiry
  • To provide you with support
  • To locate orders or send you replacements
  • To gain insights on how we can improve our products and services
  • To act according to applicable law in responding to consumer complaints
  • To fulfil the agreement, we have made with your regarding your purchase from us
  • Your Consent, art. 6(1)(a), GDPR, when you contact our customer support and provide us with information about your support request
  • Legitimate interest, art. 6(1)(f), GDPR. Our legitimate interest is to optimize our customer services and products
  • Legal obligation, art. 6(1)(c), GDPR, in connection to our compliance with legislation
  • Performance of a contract, art. 6(1)(b), GDPR, in relation to our mutual purchasing agreement

Digital Marketing communications (e.g email, SMS, push messages in app messages or similar direct marketing)
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
  • Subscribe to one or more of our digital marketing communications where opt in subscription is legally required
  • Have not opted out of receiving one or more of our digital marketing communications of our newsletters
  • Marketing and Communications Data
  • Necessary Identify Data
  • Information about which type of marketing communication you open and how you engage with the content
  • To be able to deliver our digital marketing communications to you
  • To run internal statistics and gain insights and to optimize and tailor both the content and delivery of our communications newsletter to those who want to receive it
  • To give you relevant marketing based on your interests and preferences both when engaging with us in our own LEGO® branded channels as well as via third party channels (e.g. social media, search sites, market places)
  • To find /recruit potential new customers that look like our current customers (“look alike”) or ensure that are current customers are not targeted with irrelevant marketing messages (“supression”)
  • Your consent, art. 6(1)(a), GDPR, which is provided upon your subscription to the marketing communication
  • Our legitimate interest, art. 6 (1) (f) GDPR in understanding our marketing effectiveness outside our own channels (e.g. via Social Media, search engines or market places)
  • Your consent, art. 6 (1) (a) GDPR to allow us to target you with personalized marketing outside of our own branded channels (e.g. via Social Media, search engines or market places)
  • Legitimate interest, art. 6(1)(f), GDPR. Our legitimate interest in providing you with relevant content of your marketing message based on aggregated insights from shoppers and users on our website
  • Legitimate interest, art. 6(1)(f), GDPR. Our legitimate interest is to get statistics for internal use to improve our products and services

Postal marketing including Catalogues
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
  • Actively shop on our website
  • Not opt out of receiving a postal marketing from us
  • Actively requested to receive a LEGO® catalogue
  • Allow a third-party data broker to send you marketing catalogues
  • Marketing and Communications Data
  • Necessary Identity and Contact Data
  • To send you our postal marketing including catalogues
  • To share with our third-party data brokers and data aggregators to ensure you are not being sent a LEGO® Catalogue or LEGO postal marketing from both of us at the same time (also called data suppression) or forward your opt-out request to them (where they are data controllers of your personal data)
  • Based on aggregated data understand the relevance and effectiveness of our marketing towards you to find new customers that are similar to you
  • Our legitimate interest, art. 6(1)(f), GDPR, in sending you a postal marketing including catalogues containing similar products to what you have purchased (allowing you subsequently to opt out)
  • Our legitimate interest, art. 6(1)(f), GDPR, in sending you the postal marketing including catalogue you have expressly requested from us
  • Your consent, art 6(1)(a), GDPR, to allow us to use other data we have about you to specifically tailor the content of the postal marketing including catalogues we send to you
  • Our legitimate interest, art. 6(1)(f), GDPR, in ensuring a good LEGO® brand experience
  • Our legitimate interest, art. 6(1)(f), GDPR, in understanding the general marketing effectiveness of our postal marketing overall.
  • Our legitimate interest art 6 (1) (f) GDPR in using your data to better understand the characteristics and preferences of our existing customer and use that to find new customers similar to you
  • Your consent, art. 6(1)(a), GDPR, to allow us to use other data we have about you to specifically tailor the content of the postal marketing including catalogue we send to you

LEGO® Insiders account administration and statistics & insights
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
Sign up for and use a LEGO® Insiders account
  • We process certain Identity Data, Contact Data and Profile Data, which is given by you when signing up for a LEGO® Insiders account or editing your profile
  • Information about your LEGO® Insiders card number
  • Transaction Data and Purchaser Data if you have utilized your LEGO® Insiders membership in connection with purchases
  • Information collected using cookies (to the extent you have consented to the use of cookies)
  • For us to be able to administer your LEGO® Insiders membership and provide you with access to LEGO® Insiders membership benefits
  • For us to be able to communicate with you about your LEGO® Insiders membership
  • To see how you have earned and spent your LEGO® Insiders points
  • To create a tailored experience when you are logged in to your LEGO® Insiders account, which includes to show products we think you may like
  • To generate statistics and insights based on Aggregated Data to improve the LEGO® Insiders program and to create more value for our shoppers who sign up. For instance, this includes to improve future rewards selection and policy changes of the LEGO® Insiders program. We do this to be able to assess and optimize the health of the LEGO® Insiders program and to administer, develop and market the program
  • To give you relevant marketing based on your interests and preferences both when engaging with us in our own LEGO® branded channels as well as via third party channels (e.g. social media, search sites, market places)
  • To find recruit potential new customers that look like our current customers (“look alike”) or ensure that are current customers are not targeted with irrelevant marketing messages (“suppression”)
  • Performance of a contract, art. 6(1)(b), GDPR, which is our agreement with you about your LEGO® Insiders
  • Legitimate interest, art. 6(1)(f), GDPR. Our legitimate interest is to provide you with relevant information when using our platforms
  • Your consent, art. 6(1)(a), GDPR, in connection with our use of cookies (to the extent such consent is provided)
  • Legitimate interest, art. 6(1)(f), GDPR, in connection with generating statistics and insights based on Aggregated Data
  • Our legitimate interest, art. 6 (1) (f) GDPR in using your data to better understand the characteristics and preferences of our existing customer and use that to find new customers that are similar to you
  • Our legitimate interest, art. 6 (1) (f) GDPR in understanding our marketing effectiveness outside our own channels (e.g., via Social Media, search engines or market places)
  • Your consent, art. 6 (1) (a) GDPR to allow us to target you with personalized marketing outside of our own channels (e.g., via Social Media, search engines or market places)

LEGO® Insiders account personalized experience and marketing
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
Use your LEGO® Insiders account while having provided us with your consent give you relevant content and experiences
  • Transaction Data, Tracking Data and Purchaser Data if you have utilized your LEGO Insiders membership in connection with purchases, which includes information about which webpages you are browsing on LEGO.com and which products you are clicking on when you are logged into your LEGO Insiders account
  • Information about which emails or other marketing messages you open and clicked
  • Information collected using cookies (to the extent you have consented to the use of cookies)
  • Information about which contests or sweepstakes you participate in
  • Information about which products you have registered in your LEGO Insiders account
For us to be able to automatically tailor our marketing and your experiences to you and your personal interests from predicting your preferences based on your personal information, including information relating to balances of Insiders points, LEGO Insiders point redemption history, LEGO Insiders member activity, purchase history, product preferences, online browsing cookie data (if opted into separately), your location data and any other information connected to your LEGO Insiders account.
  • Your consent, art. 6(1)(a), GDPR, in connection with advanced analytics. Your consent can be provided by opting-in when creating a LEGO Insiders account or by opting-in on your LEGO Insiders account page
  • Your consent, art. 6(1)(a), GDPR, in connection with personalization flow on LEGO.com
  • Your consent, art. 6(1)(a), GDPR, in connection with our use of cookies (to the extent such consent is provided)

Contests, sweepstakes, marketing and other promotions
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
Enter a contest or sweepstake or receive communication from us about contests, sweepstakes, campaigns, or promotions
  • Identity Data
  • Contact Data
  • To administer contests and sweepstakes
  • To generate statistics and insights based on Aggregated Data for us to establish the health of our business and of our campaigns and promotions
  • To contact you if you win a prize
  • Fulfill regulatory requirements
  • Performance of a contract, art. 6(1)(b), GDPR, which is our agreement with you about the terms of the contest or sweepstake
  • Legitimate interest, art. 6(1)(f), GDPR in connection with generating statistics and insights based on Aggregated Data and in connection with contacting you if you win a prize
  • Legal obligation, art. 6(1)(c), GDPR.

The LEGO Group’s own social networks
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
Interact with the LEGO Group’s social networks (such as LEGO® Life , LEGO® Insiders Club, LEGO® Insiders community, and LEGO® Ideas.) Information you have made available, which may include comments, images, designs, reactions, sharing of our social media account posts or other user generated content
  • To answer your questions
  • To report on and analyze user engagement on the platform
  • To give you the opportunity to influence which new products we launch
  • To enable you to share information with other users
  • Legitimate interest, art. 6(1)(f), GDPR, in connection with answering your questions and reporting and analyzing on user engagement
  • Performance of a contract, art. 6(1)(b), GDPR, which is our agreement with you about intellectual property rights assignment
  • Your consent, art. 6(1)(a), GDPR, in connection with advanced analytics and content you post to our social networks

Third party social networks
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
Interact with third-party social networking features, such as “Like” functions*

*The social media platforms may use personal information collected from the LEGO Group’s social network account on their platform for their own purposes as described in their own privacy policies
  • Information you have made available, which may include demographic information about you and where you live, your comments, reactions, sharing of our social media account posts or other user generated content
  • Analytical performance data for social media posts and digital ads
  • To report on and analyze user engagement with the content posted on the platform(s)
  • To give you the opportunity to influence which new products we launch
Legitimate interest, art. 6(1)(f), GDPR, in connection with analyzing and reporting on user engagement and post-performance

Live streaming events (in store and online)
What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
Participate directly in or are captured in the audience or background of a live streaming event in an incidental way*

*Areas will be clearly marked, and we will obtain consent for people directly included

Live video streaming of the event, which includes people in the recorded area.
  • Identity Data
  • Contact Data
  • Tracking Data
  • To be able to host live streaming events to engage with consumers
    • With your consent, art. 6(1)(a), GDPR, in connection with your direct participation in such live streaming events
    • Legitimate interests, art. 6(1)(f), GDPR, in connection with persons being captured in the audience or background of a live streaming event in an incidental way

    Video monitoring (in stores and other relevant LEGO Group locations)
    What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
    Visit our LEGO® Stores or another publicly accessible LEGO Group facility Video footage of our premises To prevent and document criminal violations, including forced entry, robbery, theft, assault, or fraud and to provide security and safety for employees. To analyze foot traffic, store layout and in-store service offerings to enable the best possible store experience Legitimate interests, art. 6(1)(f), GDPR, in connection with preventing a breach of law or crimes being committed on LEGO® locations

    Business partners and commercial relations
    What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
    Enter a commercial relationship with us as a company or private person
    • Identity Data
    • Contact Data
    • Transaction Data
    • Purchaser Data
    • Other personal information you provide us with
    • To be able to manage the commercial relationship with you or your company
    • To fulfil our obligations in the commercial relationship
    • Performance of a contract, art. 6(1)(b), GDPR, in relation to our mutual contractual relationship
    • Legitimate interest, art. 6(1)(f), GDPR. Our legitimate interest is to manage our relationship with you or your company

    Research
    What you do What we collect Why we collect it Legal Basis if residing in the EU/EEA
    Participate in research surveys, focus groups, or other research
    • Identity Data
    • Contact Data
    • Photos or videos (if the research is conducted in person)
    • Other personal information you provide us with
    • To improve our existing products and services
    • To develop and improve new products
    Performance of a contract, art. 6(1)(b), GDPR in relation to the market research participant release

    We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

    To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

    Who will the LEGO Group share personal data with?

    Sharing information with LEGO Group companies

    Our subsidiaries (the other companies in the LEGO Group) may sometimes need to access your information to provide services to you on our or their own behalf. They need your personal data so we or they can perform the activities listed in the table above, including as an example:

    • Deliver products and services you’ve requested
    • Get in touch with you about your account or transactions
    • Send you information about our sites, applications and policies
    • Send you direct marketing messages
    • Send you product catalogues and other printed marketing materials.
    • Process information that the subsidiary is formally contracted to process on our behalf, e.g. carry out a purchase placed by you, manage your LEGO® Account, LEGO® Insiders Account activity, and/or manage your preferences in our Preference Center on LEGO.com or in our cookie settings.
    • Internal research, analytics and reporting
    • Identify, review and stop any activities that could breach our policies or break the law.

    Transfers to LEGO Group companies outside of the European Economic Area are based on Binding Corporate Rules.

    Sharing information with other companies

    Please see our category list of trusted third parties that we may share your information with here. We process personal data with third parties/vendors in the following categories:

    • IT Service providers. We use a series of trusted partners worldwide to provide us with IT services and system administration services - in regard to both our customer and partner facing activities as well as our internal IT and administration systems.
    • Global payment provider and processing partners. These help us to secure a safe and efficient payment process both online, in our stores or through invoicing or money transfers.
    • Cloud storage partners. We store our and your data at secure data centers.
    • Fraud prevention and detection partners and agencies. These work with the LEGO Group to secure that the LEGO Group is not defrauded.
    • Warehousing, packing, shipping and delivery partners. These help us get our products into the hands of our customers and business partners.
    • Catalogue printing, mailing and postal partners. These help us make sure catalogues, magazines or other printed marketing materials come your way.
    • Data broker and data aggregator partners. These help us reach potential new shoppers with catalogues, magazines and other printed or online marketing and advertising. They also help us prevent that e.g. more than one LEGO® catalogue comes your way at the same time.
    • Marketing and advertising partners. These help us to be able to provide tailored advertisements, promotions, sweepstakes, contests and campaigns both when you are interacting with the LEGO Group on online platforms, on social media, instore or otherwise. They also help us find new potential shoppers to serve marketing messages (also called “look alike”) or help us better ensure that we do not serve a marketing message to shoppers who are not interested in the product or service in question (also called “suppression”).
    • B2B partners including Merlin Entertainments and LEGO Certified Stores partners. They help us to be able to operate promotions, sweepstakes, contests and campaigns including the LEGO® Insiders loyalty program or LEGO® Family Club, as well as help us to be able to provide tailored advertisements and shopper insights.
    • Social media partners and online search platforms. These help us to be present, allow you to interact with the LEGO® Group on the platforms where you are, and allow us to provide tailored marketing of our products as well as provide us with an broader understanding of how our shoppers and consumers interact with us via these platforms and partners.
    • Survey, questionnaires and product review suppliers. These help us get your all-important feedback of your LEGO® experience.
    • Tax and customs authorities, regulators and other authorities globally. These require reporting of processing activities in certain circumstances.
    • Professional advisers. Including lawyers, bankers, auditors and insurers globally. These provide consultancy, banking, legal, insurance and accounting services to the LEGO Group.
    • Gaming platform partners. These help us to be present, allow you to interact with the LEGO Group, and to link your LEGO Account with the gaming platform account where this functionality is available.

    Other uses and disclosures

    We will also use and disclose personal data as we believe to be necessary or appropriate: (a) to comply with applicable laws (which may include laws outside the country you live in); (b) to respond to requests from public and government authorities (which may include authorities outside the country you live in); (c) to cooperate with law enforcement; (d) to protect our rights, privacy, safety or property, and that of our affiliates, you or others.

    In addition, we will use, disclose or transfer personal data to a third party in the event of any reorganization, merger, sale, joint venture, assignment.

    Transfers to third countries

    The LEGO Group may transfer personal data to organizations in so-called third countries (countries outside of the European Economic Area). Such transfers can be made if any of the following conditions apply;

    • The EU Commission has decided that there is an adequate level of protection in the country in question; or
    • Binding Corporate Rules (BCR) are in place (for inter-company transfers); or
    • Standard Contractual Clauses (EU model-clauses) are used; or
    • Exceptions in special situations apply, such as to fulfil a contract with you or your consent to the specific transfer.

    SECTION 3: COOKIES AND SIMILAR TECHNOLOGIES (“COOKIES”) Cookies are small data files that your browser places on your computer or device. A cookie itself does not contain or collect information. However, when it is read by a server via a web browser it can help a website deliver a more user-friendly service – for example, remembering previous purchases or account details.

    For more information about cookies and how to manage them, please read our full Cookie Policy and Cookie Declaration. or click on your cookie settings on LEGO.com or in the digital game or app (where applicable).


    SECTION 4: INFORMATION FOR PARENTS

    Information for parents: how the LEGO Group handles children’s personal data

    Keeping children safe online

    We care deeply about making sure children are safe online and have extra privacy processes in place to make sure we’re keeping our younger fans safe when they’re using our online channels. In fact, some features have age gates so to prevent children from inadvertently using such features. We also take all reasonable care to secure that we don’t knowingly collect, store, use or process personal information from children who may use those features without proper parental consent.

    We’ve joined a digital child safety program which audits our company on a yearly basis to make sure we follow the rules in the way interact with children online.

    When it comes to personal data, we seek parental consent for anyone under the age of 16 years (or older, in countries where local laws so require).

    If you have any questions or concerns about our Privacy Policy, please contact us.

    When we do process personal information from children, we take extra steps to protect their privacy including:

    • Making sure we tell parents what personal information we collect, store, use and process from their child and explaining whether we share the information;
    • Meeting legal requirements by asking for parental consent to collect, use and process a child’s data and asking for consent to send their children information about our products and services;
    • Limiting how we collect, store, use and process personal information from children so only data that is reasonably needed for them to take part in an online activity is collected;
    • Giving parents access or the option to ask for access to personal information we’ve collected from their child – parents can also ask for their children’s personal information to be changed or deleted.

    Collecting and using children’s information

    While some of our websites, channels and apps are designed with families and users of all ages in mind, others are intended to be used mainly by children. Whenever we collect personal information from a child, we only keep the information for the time we need it to provide a service or for the time it’s legally required to be kept on record.

    While children can choose whether to share their information with us, there are features of our websites that won’t function if they haven’t given us their information. Where personal information is needed for features to function, we’ll only ask for information that is reasonably required to take part in the activity.

    Here are some examples of times when we collect children’s data:

    • When children register online. Children can register on our websites to access a variety of services including content, games and competitions. During registration, we may ask a child to provide their parent’s or guardian’s email address, the child’s first name, gender, their birth date, their username and password. We use this information for security and notification reasons. We strongly encourage children to create a username that excludes any personal information.
    • When children share content they’ve created themselves. Some of our websites allow children to create or use content themselves. Since only some of these features require personal information from the child, not all activities require consent from a parent or guardian. Whenever an activity could potentially allow a child to share personal information, we’ll ask the parent or guardian for ‘verifiable parental consent’ (which is a higher level of parental consent). Examples of personal data could be stories, free-text fields, drawings that allow text or free-hand entry of information, photographs of the child, sound clips, movie files or any type of content or other persistent identifiers that clearly identifies the child in some way.
    • When children enter contests and sweepstakes. If a child wants to enter a competition, we ask for the personal information we need for a child to take part. We usually only ask for the child’s first name (so we can tell the difference between children from the same family) and the email address of a parent or guardian (so we meet legal requirements to notify the responsible adult). We’ll only contact the parent if the child wins the contest or sweepstake to find out where to send the prize. If the competition asks the child to create content to enter, we may need to ask for parental consent by email in advance to ensure we meet the privacy requirements for content children have created themselves (please see the information above about children creating content). Without consent, children won’t be able to take part in our competitions.
    • When children receive emails from us. We may need to ask for a child’s contact details (including their email address) so that we can reply to a question they’ve asked us. If we need to get in touch with the child a second time, for example to reply to additional questions, we request an email address from their parent or guardian. We then only keep the child’s online contact information for the time it takes us to honor their request and wouldn’t use the information for any other purpose. If we ever need a child’s online contact information for ongoing communication, we ask for the parent’s or guardian’s email address at the earliest opportunity so that we can keep the adult informed of the data we’re collecting and to give the parent an option to ask us to stop collecting data. Parents or guardians can opt out of any communication we have with their child at any time by following the unsubscribe instructions within each communication (if there is more than one type of communication, the adult may need to opt out of each individually). Alternatively, they can contact our LEGO Customer Service team.
    • When children receive app push notifications. Many apps send users ‘push notifications’ to their customers’ mobile phones or devices to tell them about updates (sometimes even when the app is not in use). Some of our apps are designed to be used by children. We ask children to provide the email address of their parent or guardian, so we can tell the adult about their child’s request before we send children push notifications from our apps. We don’t link the device identifier with any other personal information without parental consent. If you would like your child to stop receiving push notifications from one of apps, you can change the settings on the device your child’s using at any time.
    • When we collect location information. Some of our websites, channels and apps are designed for children. We request consent from a parent or guardian by email before collecting information on a child’s street name, address or coordinates. We do that because such information will effectively make us able to identify a specific child. As an opposite, we don’t require parental consent to collect information on a child’s city, country or region as long as it isn’t linked directly to the specific child. The reason for this, is that such generic information will not make us able to identify a specific child. If you would like to stop us collecting this type of location information, you can adjust the settings on the device your child is using at any time. Alternatively, please contact our LEGO Customer Service team.
    • When we collect ‘persistent identifiers’. In order to give visitors to our online channels more relevant and personalized online experiences, we collect some types on information (e.g. information on IP addresses, mobile device identifier, browsers, internet service providers, referring pages, exit pages, visitor frequency, operating systems, date stamps, time stamps and clickstream data). We collect this information using technologies such as cookies, pixels, flash cookies, web beacons and other unique identifiers (which we define under the Cookie section of this Privacy Policy). We may collect this information ourselves or ask a third party to process the data on our behalf. We use this data to give children access to online features and activities, to customize content, to improve our online channels, to analyze the performance of our online channel and to create anonymous reports. If we ever want to collect children’s personal data for any reason, we would contact the child’s parent or guardian for consent in advance. A list of third-party operators who collect ‘persistent identifiers’ on our sites and apps can be found in our Cookie Policy and Cookie Declaration.

    Requesting parental consent

    We use different types of parental consent depending on what type of children’s data we are processing and for what purpose.


    Asking for parental consent by email
    If we need to collect a child’s personal information to provide a service requested by the child, we’ll ask for parental consent according to legal requirements (e.g. COPPA for the US and GDPR for EU). We’ll send the child’s parent or guardian an email explaining what information we’re collecting, how we plan to use it and ask the parent to give or deny their consent. If we don’t receive parental consent in a reasonable time, we’ll delete all information we’ve collected from the child including the adult’s contact information that we asked for in order to request consent.


    Asking for ‘verified parental consent’
    If a child wants to share personal information publicly or with a third party via one of our websites or digital experiences, we’ll seek a higher level of parental consent than the email request described above. We may ask for verification by credit card or other payment method (with a nominal charge involved), or a review of the parent’s government issued ID.


    What if a parent or guardian hasn’t been contacted for consent?
    If a child under the age of 16 accesses an online channel that’s designed for children by using an age gate, we’ll email the child’s parent or guardian before collecting any personal information from the child. If you think that your child is taking part in an online activity that collects their personal information and you or another parent/guardian hasn’t received an email contacting you for consent, please contact us. We won’t use email addresses provided for parental consent for any other purpose unless the adult has expressly opted-in to marketing emails or taken part in an activity which allows email contact.

    Parental choices and controls

    At any time, parents or guardians can refuse to allow us to use and collect further personal information from their child. Parents or guardians can ask us to delete the personal information we have collected in connection with their child’s account from our records. As personal information is required for some services, deleting a child’s records may result in an account, membership, or service being unavailable to the child in the future.
    If a child has a registered LEGO Account, parents or guardians can access, change or delete the personal information we’ve collected from their child by:

    • Using their child’s username and password to log into their child’s LEGO Account; or
    • Getting in touch with our LEGO Customer Service team

    If you’d prefer to contact us please let us know your child’s username along with your own telephone number and email address. We’ll need to confirm your identity as the parent or guardian of the child before granting access to the child’s personal information. We will respond to your request within a reasonable timeframe.


    SECTION 5: INFORMATION FOR KIDS

    Information for kids: Child Friendly Privacy Information

    Who are we?

    We are the LEGO Group and we want to inspire and develop the builders of tomorrow. We make lots of products like LEGO® bricks and sets, as well as digital apps and games. We also operate retail stores around the world and on the internet, and we operate the LEGO.com website.

    This Privacy Policy tells you how we use your personal data, so you know what happens with it when you give it to us.

    Sometimes there are links to other pages. You might want an adult to help with these because they can sometimes be confusing.

    Personal data? What’s that?

    Anything that can be used to identify you is your personal data. You might already know this could be things like your name or a photo of you, but it is also things like your email address or online username.

    The LEGO Group uses a lot of personal data. If you want to know more, please ask an adult to help you read the entire Privacy Policy.

    Why do you need my personal data?

    The main reason we need to use your personal data is to know who you are.

    If you are logged in to one of our apps or games, we use your personal data to keep track of your game progress, to help you stay connected with your friends in the app or game, or to let you save content you have uploaded to your LEGO Account.

    We sometimes also use your personal data because of an event you take part in, or a competition we organize, to make sure if you win that you get your prize.

    If we don’t have your personal data, it means we might not be able to do certain things for you. We might not be able to remember how far you made it in a certain game, or let you upload photos to share with friends.

    If you want to know more about what we are doing with your personal data, you can ask an adult to read the full Privacy Policy with you to help you understand the details.

    So, can you just use my personal data for anything?

    Nope! We can only use your personal data for certain reasons.

    We provide a lot of online services, and there are some rules that say we need to use your personal data to do our work and deliver the service to you, and we can do this without asking you first.

    Other times, we need to get consent from your parents. If you or your parents (or guardians) say no then we won’t (and can’t) use your personal data.

    Can anyone else see my personal data?

    Sometimes we need to share your personal data to do our work. We’re very careful about how we do this, which means there are even more rules.

    We might need to share your data with your family if they are helping you. Also, we might need to share your data with other people. Please ask an adult to help you read our full Privacy Policy and Cookie Policy and Cookie Declaration.

    Do you keep my personal data forever?

    We are only allowed to keep your personal data for as long as we need it. Depending on the circumstances, this period can vary.

    Do I have a say in what happens to my personal data?

    Yes you do. You have what we call 'rights' when we use your data. One of these is the right to know what we do with it. That’s what this page is for.

    You can ask us to tell you what personal data we have about you, or you can tell us to stop using it or delete it. If your personal data is wrong or incorrect, you can tell us and we will fix it.

    The rights you have depend on what we use your data for, and there is a lot more information in this Privacy Policy. Please ask an adult to help you read it.

    Who makes sure you follow all the rules?

    We have someone here at the LEGO Group called our Data Protection Officer, and their job is to protect your data. This means they make sure we are following all the rules, and that your data is safe. If they see something wrong, they tell us how we can fix it.

    It is very important for us to keep your data safe, and to follow all the rules. If you are worried about what we do with your personal data, please contact us.

    There is also a government agency whose job it is to make sure companies like us follow the rules, and correct us if we do things wrong. You can also email or write to them. You will find their contact information at www.datatilsynet.dk.

    About our website

    Like lots of websites, our website downloads tiny files called “cookies” onto your computer. These help our website to work properly for you. You can find out more about cookies in our Captain Safety video, here.


    LEGO BrickLink, Inc. Privacy Policy