Legal

[Article page/Published] : 09 December 2014, 07:53 CET

Privacy Policy

The LEGO Group Privacy Policy

Last Modified: May 24th, 2018

Our Privacy Policy
Welcome to our privacy policy! It’s great that you’d like to know more about how we keep your information safe. This policy will give you information about how we look after your personal data when you visit our website (regardless of where you visit it from) or use our services or our applications (apps). The policy also tells you about your privacy rights and how the law protects you.

So, if you’re looking for more information on how we collect, store, use and share your personal data we collect, this is the place for you!

Now to start us off with, a couple of practical but highly important details for you to take note of!

Who we are

The LEGO Group is made up by several different legal entities spread around the world. Read more about the LEGO Group here https://www.lego.com/aboutus  

This privacy policy is issued on behalf of all the companies in the LEGO Group. All the companies in the LEGO Group has decided that the Danish company LEGO System A/S is our global data controller (the one responsible and in charge of the data).  So, when we use “we”, “us” or “our” in this policy, we are actually talking about LEGO System A/S.

How to contact us

We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this policy, please contact our DPO at:

LEGO System A/S
Aastvej 1,
7190 Billund,
Denmark
Att: Data Protection Officer

Or by email: privacy.officer@LEGO.com

Please include your name and if you know it, the relevant LEGO Group company. If you don’t have that information, it’s absolutely fine and we will then, treat your request as if it the question relates directly to LEGO System A/S.

Your rights as a someone we have personal data about (data subject)

You can make changes to your account information yourself by editing them from within your account settings. If you wish to unsubscribe from e.g. newsletters or marketing emails you will be able to do so via the link provided in those emails. If you wish to delete cookies placed, our cookie policy will help show you how to do that (more on that later in the Policy under Cookies).

At any point while we are in possession of or processing your personal data, you have the following rights:

  1. Right of access – you have the right to request a copy of the information that we hold about you.
  2. Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  3. Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records. If we are legally obligated to keep the information or if it is impossible or unproportionate, we won’t delete it but we will only keep it for as long as it is needed and we have time limits on our data systems.
  4. Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
  5. Right of portability – you have the right to have the data we hold about you transferred to another organisation.
  6. Right to object – you have the right to object to certain types of processing such as direct marketing.
  7. Right to object to automated processing, including profiling – you also have the right not to have a computer make decisions about you directly (this doesn’t include general marketing based on your age or gender).
  8. Right to judicial review – if we refuse your request under rights of access, we will provide you with a reason as to why. You have the right to complain.

One thing to bear in mind before contacting us. Our sites and applications may contain links to other sites not owned or controlled by us. It could as an example be social media platforms/services. We are not responsible for the privacy practices of those sites, so if you have questions regarding such sites, you need to contact the site directly. We also really encourage you to be aware and read the privacy policies of other sites because they may very easily be collecting, storing, using and sharing your personal information.

Complaints about our behaviour

You have the right to complain if you don’t feel the LEGO Group is living up to our responsibilities when it comes to your data.

We have a Global Data Protection Officer at the LEGO Group, who takes your complaint very serious. You can contact our Global Data Protection Officer on this email privacy.officer@lego.com. We will send you a confirmation within 5 days and do our very best to deal with the issue within 1 month. If the issue is difficult or requires a lot of work it may take longer, but we will keep you updated.

You always have the right to complain to the authorities as well, but because we take privacy matters very seriously, we would really appreciate it, if you would talk to us. The authority having the right to look at us, is the Danish Data Protection Agency. You can see further information on their webpage: https://www.datatilsynet.dk/.

You can complain about:

  1. how your personal data has been processed;
  2. how your request for access to data has been handled;
  3. how your complaint has been handled;
  4. appeal against any decision made following a complaint.

Our rules for collecting data

We take your privacy really seriously, so we’ll only ask for the information we need to have so we can give you great service.

Whenever we collect customer data, we make sure:

  • We ask for permission to collect the data
  • We only use the data for the agreed reason and for the time it’s needed
  • We will as a minimum meet the local data protection laws in the country where we provide you with a service via our website or our applications.
  • We keep data that we’re legally required to have on record
  • We explain why we need the data and how we’ll use it (unless we have legitimate reason not to)
  • We check and update privacy information on a regular basis (we might also cross-check the data against other database to make sure it’s correct)
  • We don’t share data with anyone unless we have a legal or legitimate reason, or we have permission from you or if you are a child under 16 from your parents.

Collecting data in our online channels

We collect your personal and anonymous information from you when you visit any of the sites on our LEGO.com domain or when you use one of our applications. When you visit our online channels, you’ll be able to check if we’re collecting data under terms and conditions of the site.

We also receive information via third party when you visit our page on social media sites or channels (e.g Facebook, Twitter, Youtube, Instagram, Wechat etc).

Types of personal information we collect

When you’re visiting any of these online channels, we may collect:

  • Registration information that we use to help you set up an account (e.g. your name, country, gender, date of birth, email address, username and password).
  • Payment or transactional information that we use when you buy products or use online services (e.g. postal address, phone number or credit card number).
  • Location information or your IP Address that we use to give you relevant online content.
  • Information you’ve shared publicly on our forums.
  • Information you’ve sent to an individual or group using our messaging, chat or post services
  • Information you provide when you use our own online channels or third-party channels (such as social networks) or if you link your LEGO registration account to a third-party platform.

Why we need to process personal data

In legal terms, the way we ‘process data’ describes how we collect, store, use, share and delete the data we receive from customers. When you share your personal information with us on our online channels, we’ll process your data as described in this Privacy Policy.

As we’re a global company that sells toys directly to customers and offers many different experiences for our fans, we need to process personal customer data, so that:

  • Customers can buy products from our online LEGO Shop and have them delivered where they want
  • Customers are able register for any accounts and services they want to use
  • Customers can use the online and offline LEGO experiences we’ve created for them
  • Customers can share information on our public forums
  • We can send customers any information they’ve asked us for or answer their questions
  • We can ask customers to give us feedback on our services through questionnaires and surveys
  • We can provide our customers with relevant marketing information about our products.

Always keep in mind, that if you’re using a LEGO service through a third-party channel like social media or a LEGO app, your personal data may also be processed by that third-party according to their own privacy processes.

We may use automated decision making in processing your personal information for some services and products. An example is our fraud prevention and detection efforts on shop.LEGO.com. You can request a manual review of the accuracy of an automated decision if you are unhappy with it.

How we process personal data

When you visit our online channels or when you use third-party sites or platforms, we use technology such as cookies, flash cookies, pixls and web beacons to process your personal data.

Please visit our Cookie Policy for more information, including information about how to delete cookies places on your device and how to prevent them from being put there in the first place!

Be mindful that if you do enable a prevent cookies functionality on your device, some of our services and functionalities on the site will no longer work.

We also collect information from other trusted sources, so we can update or add to the personal information we’ve collected ourselves.

Sharing information with trusted subsidiaries (other LEGO companies)

Our subsidiaries (the other companies in the LEGO Group) may sometimes need to access your information to provide services to you on our behalf. Because the LEGO Group is passionate about your privacy, we have made a decision to implement the same privacy protection all over the world, so you can feel safe no matter which LEGO Group company is using your data.  Legally, other LEGO Group companies will then be acting as ‘data processors’ and will be subject to data processing laws. They need your personal data so they can:

  • Deliver products and services you’ve requested
  • Get in touch with you about your account or transactions
  • Send you information about our sites, applications and policies
  • Send you any newsletters you’ve signed up for (you can unsubscribe at any time)
  • Process information that the subsidiary is formally contracted to process on our behalf, e.g. carry out a purchase placed by you, manage your LEGO ID account activity or your VIP account data.
  • Identify, review and stop any activities that could breach our policies or break the law

Sharing information on public forums and chat

As our public forums and chat services can be read by everyone, any personal information you share on them can be seen publicly.  If you’d like us to remove any of your personal information from public areas of the site, please email our Customer Service. If we can’t remove your personal information for any reason, we’ll let you know why. If you’re under 16 years old, you’ll need the permission of a parent or guardian to use our public forums or chat features.

Sharing your LEGO ID

You can use your LEGO ID on our trusted partners’ third-party websites, so you can play virtual games without creating a separate account. If you choose to use your LEGO ID, we’ll have access to some information that you provide to the third-party websites. We’ll collect, store, use and process that information according to this Privacy Policy. Third-party sites will also be able to access some information from your LEGO ID profile, so you can to take part in experiences on their site. Please read their privacy policy if you’d like to know more about how they use your information.

Sharing information on Social Media (Features) and Widgets

Some of our websites may include social media links such as the Facebook ‘like’ button, widgets like ‘Share this button’ and interactive mini-programs. If you click on any of these links, the features may collect your IP Address and record which page you were visiting at the time. The features may also use cookies so that the feature can function properly. Social media features and widgets are hosted by third parties or may be hosted directly on our website. When you’re using these features and widgets, your personal data will be processed by that third-party according to their own privacy policies.

Sharing information with other companies

Please see our category list of trusted third parties that we may share your information with here

We won’t share your personal information outside the LEGO Group except:

  • When we need to enforce the terms of use or the policies that we ask customers to agree to;
  • When we need to protect the safety, security, rights and property of our customers or third-party partners;
  • When we need to meet legal processes or if disclosure of the data is required by law;
  • When we’re asking other companies like e.g. couriers, shipping and warehouse service provides, payment providers, IT platform providers, fraud detection and prevention providers, survey providers, product catalogue providers and customer service suppliers to deliver services on our behalf; We have contracts with the companies to make sure they only use your personal information for agreed services and meet legal requirements;
  • When we store your information using secure cloud storage services/facilities. We have contracts with companies to make sure they only use your personal information for the agreed services and meet legal requirements;
  • If a merger, acquisition or sale of assets ever meant we needed to share information with a third party - in this case we’d email you and post a notice on our website to publish the change of owner and we’d also tell you how your data would be used and give you options regarding your personal data;
  • When you’ve given us permission to share your information with third parties so they can send you information on their products and promotions (you can opt out of these emails by contacting our LEGO Customer Service team although in some cases you may also need to contact the third-party directly);
  • When you have given us permission to share your information with third parties, so they can provide you with marketing information and promotions regarding our products (as an example personalised advertising provided via a social media platform). You can opt out of such marketing activities by adjusting your cookie settings on your device. In some cases, you may also need to contact the third party directly (in case of social media adjust your privacy settings and request deletion of collected information by the third-party site)
  • When you’ve asked us to share your personal information with third-party sites or platforms like social networking sites – once it’s been shared, your personal data will be processed by that third-party according to their own privacy processes

 

How long do we keep your personal information

We’ll keep your personal information as long as your account is active or as long as it’s needed to provide a service. We have so called retention polices for each of the categories of personal information that we process.

If you’d like to cancel your account or for us to delete your data, we’ll only keep information that we need for legal reasons, to resolve disputes or to enforce our agreements. 

Our Cookie Policy

Cookies are small data files that your browser places on your computer or device. A cookie itself does not contain or collect information. However, when it is read by a server via a web browser it can help a website deliver a more user-friendly service – for example, remembering previous purchases or account details.

Like most websites, our online channels and our applications (apps) collect some information (e.g. information on IP addresses, browsers, internet service providers, referring pages, exit pages, operating systems, date stamps, time stamps and clickstream data). This information won’t be linked to any other information we collect about you unless you have given your consent that we may do this.

Both we and our third-party tracking utility partners use browser storage, app storage, cookies, pixls, beacons, scripts and tags to analyse trends, administer the site, track user movement through the site and collect demographic information about our overall user base. We may receive reports on these from our third-party tracking utility partners on an individual and aggregate basis. For more information about cookies, please read our full Cookie Policy.

Keeping children safe online

We care deeply about making sure children are safe online and have extra privacy processes in place to make sure we’re keeping our younger fans safe when they’re using our online channels. In fact, some features have age gates so to prevent children from inadvertently using such features. We also take all reasonable care to secure that we don’t knowingly collect, store, use or process personal information from children who may use those features without proper parental consent.

We’ve joined a digital child safety program which audits our company on a yearly basis to make sure we follow the rules in the way interact with children online.

We also follow all relevant laws for children aged between 13 and 18 and when it comes to personal data, we consider anyone under the age of 16 years a child


TrustArc Privacy Seal

Our Privacy Policy’s been given the ‘TrustArc Privacy Seal’ which means our practices meet the standards of the TrustArc program, which secures that our practices are compliant with the American COPPA rules (Children Online Privacy Protection Act applies only to Children under the age of 13). Our TrustArc certification also covers information collected on our channels, apps and websites. You can find out more by clicking on the TrustArc seal icon. If you have any questions or concerns about our Privacy Policy, please contact our Data Protection Officer at privacy.officer@lego.com. If you aren’t happy with our answers, please contact TrustArc (https://www.trustarc.com/).

When we do process personal information from children, we take extra steps to protect their privacy including:

  • Making sure we tell parents what personal information we collect, store, use and process from their child and explaining whether we share the information

  • Meeting legal requirements by asking for parental consent to collect, use and process a child’s data and asking for consent to send their children information about our products and services

  • Limiting how we collect, store, use and process personal information from children so only data that is reasonably needed for them to take part in an online activity is collected

  • Giving parents access or the option to ask for access to personal information we’ve collected from their child – parents can also ask for their children’s personal information to be changed or deleted

Collecting and using children’s information

While some of our websites, channels and apps are designed with families and users of all ages in mind, others are intended to be used mainly by children. Whenever we collect personal information from a child, we only keep the information for the time we need it to provide a service or for the time it’s legally required to be kept on record.

While children can choose whether to share their information with us, there are features of our websites that won’t function if they haven’t given us their information. Where personal information is needed for features to function, we’ll only ask for information that is reasonably required to take part in the activity.

Here are some examples of times when we collect children’s data:

  • When children register online
    Children can register on our websites to access a variety of services including content, games and competitions. During registration, we may ask a child to provide their parent’s or guardian’s name, their email address, their first name, gender, their birth date, their username and password. We use this information for security and notification reasons. We strongly encourage children to create a username that excludes any personal information. 

  • When children share content they’ve created themselves
    Some of our websites allow children to create or use content themselves. Since only some of these features require personal information from the child, not all activities require consent from a parent or guardian. Whenever an activity could potentially allow a child to share personal information, we either review the content ourselves and make sure personal information is removed or ask for permission from a parent or guardian to collect the data. Types of personal data that children have shared with us in the past include stories, free-text fields, drawings, photographs, sound clips, movie files or any type of content that clearly identifies the child in some way. If, as well as collecting content that includes personal information, we also plan to share the content publicly or with a third party for their own use, we’ll ask the parent or guardian for ‘verifiable parental consent’ (which is a higher level of parental consent).

  • When children enter contests and sweepstakes
    If a child wants to enter a competition, we ask for the personal information we need for a child to take part. We usually only ask for the child’s first name (so we can tell the difference between children from the same family) and the email address of a parent or guardian (so we meet legal requirements to notify the responsible adult). We’ll only contact the parent if the child wins the contest or sweepstake to find out where to send the prize. If the competition asks the child to create content to enter, we may need to ask for parental consent by email in advance to ensure we meet the privacy requirements for content children have created themselves (please see the information above about children creating content). Without consent, children won’t be able to take part in our competitions.

  • When children receive emails from us
    We may need ask for their child’s contact details (including their email address) so that we can reply to a question they’ve asked us. To meet legislative requirements around the world, we’ll delete any information we have on the child as soon as the reply’s been sent. If we need to get in touch with the child a second time, for example to reply to additional questions, we would request an email address from their parent or guardian. We’d then only keep the child’s online contact information for the time it takes us to honour their request and wouldn’t use the information for any other purpose. If we ever need a child’s online contact information for ongoing communication, we’d ask for the parent’s or guardian’s email address at the earliest opportunity so that we can keep the adult informed of the data we’re collecting and to give the parent an option to ask us to stop collecting data. Parents or guardians can opt out of any communication we have with their child at any time by following the unsubscribe instructions within each communication (if there is more than one type of communication, the adult may need to opt out of each individually). Alternatively, they can contact our LEGO Customer Service team.

  • When children receive app push notifications
    Many apps send users ‘push notifications’ to their customers’ mobile phones or devices to tell them about updates (sometimes even when the app is not in use). Some of our apps are designed to be used by children. We ask children to provide the email address of their parent or guardian, so we can tell the adult about their child’s request before we send children push notifications from our apps. We don’t link the device identifier with any other personal information without parental consent. If you would like your child to stop receiving push notifications from one of apps, you can change the settings on the device your child’s using at any time.

  • When we collect location information
    Some of our websites, channels and apps are designed for children. We request consent from a parent or guardian by email before collecting information on a child’s street name, address or coordinates. We do that because such information will effectively make us able to identify a specific child. As an opposite, we don’t require parental consent to collect information on a child’s city, country or region as long as it isn’t linked directly to the specific child.  The reason for this, is that such generic information will not make us able to identify a specific child. If you would like to stop us collecting this type of location information, you can adjust the settings on the device your child is using at any time. Alternatively, please contact our LEGO Customer Service team.

  • When we collect ‘persistent identifiers’
    So we can give visitors to our online channels more relevant and personalised online experiences, we automatically collect some types on information (e.g. information on IP addresses, mobile device identifier, browsers, internet service providers, referring pages, exit pages, visitor frequency, operating systems, date stamps, time stamps and clickstream data). We collect this information using technologies such as cookies, pixls, flash cookies, web beacons and other unique identifiers (which we define under the Cookie Policy section of this Privacy Policy). We may collect this information ourselves or ask a third party to process the data on our behalf. We use this data to give children access to online features and activities, to customise content, to improve our online channels, to analyse the performance of our online channel and to create anonymous reports. If we ever want to collect children’s data for any other reason, we would contact the child’s parent or guardian for consent in advance. A list of third-party operators who collect ‘persistent identifiers’ on our sites and apps can be found in our Cookie Policy.

What if we accidentally collect children’s data?

If we discover that we’ve unintentionally collected information from a child in a way that doesn’t meet COPPA requirements, we’ll either delete the information or immediately ask for parent or guardian consent for the collection of the data.

Requesting parental consent

Asking for low-level consent by email

If we need to collect a child’s personal information, we’ll ask for parental consent according to COPPA legal requirements. We’ll send the child’s parent or guardian an email explaining what information we’re collecting, how we plan to use it and ask the parent to give or deny their consent. If we don’t receive parental consent in a reasonable time, we’ll delete all information we’ve collected from the child including the adult’s contact information that we asked for in order to request consent. 

Asking for high-level ‘verifiable consent’

If we want to share a child’s personal information publicly or with a third party, we’ll seek a higher level of parental consent than the email request described above. We may ask for verification by credit card or other payment method (with a nominal charge involved), verification over the phone, a video chat or a signed consent form to be returned to us by mail, email attachment or fax. We may give the parent a guardian a PIN or password that they’ll be able to use in future communications to confirm the adult’s identity.

What if a parent or guardian hasn’t been contacted for consent?

If a child of 15 years old or younger accesses an online channel that’s designed for children by using an age gate, we’ll email the child’s parent or guardian before collecting any personal information on the child. If you think that your child is taking part in an online activity that collects their personal information and you or another parent/guardian hasn’t received an email letting you know or seeking you consent, please contact our Data Privacy Officer at privacy.officer@lego.com. We won’t use email addresses provided for parental consent for any other purpose unless the adult has expressly opted in to marketing emails or taken part in an activity which allows email contact.

Parental choices and controls

At any time, parents or guardians can refuse to allow us to use and collect further personal information from their child. Parents or guardians can ask us to delete the personal information we have collected in connection with their child’s account from our records. As personal information is required for some services, deleting a child’s records may result in an account, membership, or service being unavailable to the child in future.

If a child has a registered LEGO ID, parents or guardians can access, change or delete the personal information we’ve collected from their child by:

  • Using their child’s username and password to log into their child’s LEGO ID account
  • Getting in touch with our LEGO Customer Service team

If you’d prefer to contact us, please let us know your child’s username along with the your own telephone number and email address. We’ll need to confirm your identity as the parent or guardian of the child before granting access to the child’s personal information.

If we make material changes to how we use Personal Information collected from a child under the age of 16, we’ll tell their parent or guardian by email and ask for ‘verifiable parental consent’ for the new uses of the child's personal information.

Sharing information we have consent to share with others

If we’ve received high-level parental consent to share a child’s personal information publicly, we may also share personal information with our service provides or legal authorities. We may share information with our service providers including software solution companies, online security partners and customer services. Our contracts with these companies make sure they only use personal data for the agreed purpose.

We may share personal information to meet legal processes or if disclosure is required by law. As allowed by relevant laws, we may also share personal information collected from children to:

  • Comply with a request from to a law enforcement or public agency (including schools or children services) or to avoid liability
  • Make a disclosure that we believe may stop a crime being committed
  • Help an investigation related to public safety
  • Protect the safety of a child who’s using our online channels
  • Protect the technology of our service providers or security of our online channels themselves

Parents have the right to consent to the collection, use and processing of their child’s personal information without also having to consent to the disclosure of that information to third parties. We don’t share information with third parties other than as described above.

Our employees

Whether you’re an existing employee or applying for a job with us, we’ll process specific information relevant for your employment and application. The principles in this Privacy Policy will also apply to your employment and application.

LEGO Partners

We define LEGO Partners as other companies doing business with the LEGO Group. We process information on our LEGO Partner companies for collaboration and evaluation purposes.

Data security and integrity

The security, integrity and confidentiality of customer information is extremely important to us. We use technical, administrative and physical security measures to protect personal information from unauthorized access, disclosure, use and modification. All external transfers that contain personal information are done using encrypted technology. Credit card information is handled by approved service providers that meet PCI (Payment Card Industry) standards and have appropriate safeguards in place.

Although we regularly review our security procedures and evaluate new technology and methods to make our online channels safer, no security measures are perfect or impenetrable.

Our customers, employees and partners also play an important role in protecting information. We encourage customers to choose passwords that are difficult for others to guess and to keep their personal passwords secret.

Should you notice any flaws or concerns in our security, please contact our LEGO Customer Service team as soon as possible.

If we ever experience a data breach in which customer information is at risk of being misused, we’ll contact customers according to legal requirements. If necessary, we’ll also contact data protection authorities.

Data transfers, storage and processing globally

As we’re a global company, we may transfer your personal information to individual subsidiaries of the LEGO Group or third parties in locations around the world for the purposes described in this Privacy Policy. Whenever your personal information is transferred, stored or processed by us or by companies carrying out such services on our behalf, we’ll take reasonable steps to safeguard the privacy of your personal information. Additionally, when using or disclosing personal information we abide by our Binding Corporate Rules, when these become effective.

The Binding Corporate Rules provide the highest security to you when it comes to how your information is processed.

Binding Corporate Rules and local legal requirements

We want to make sure we as a minimum use the standards of data privacy and security that follows from the European General Data Protection Regulation (“GDPR”) anywhere in the world where we collect, store, use or share your personal data. Where your local rules require more from us than that, we will adjust our practice to make sure your data is safe with us no matter where in the world you are! To bind us to that promise we have implemented something called with effect from [June/2016?) ‘Binding Corporate Rules. These rules are set by European data authorities across the European Union (EU) and set the some of the highest standards in the world on data collection, storage, use and sharing.

Notice to California Residents: If you’re a California resident, you’re permitted by California Civil Code Section 1798.83 to request information regarding the disclosure of your personal information by certain members of the LEGO Group to third parties for the third parties’ direct marketing purposes. With respect to these entities, this privacy policy applies only to their activities within the State of California

Notice to Australian Residents: In regards to how we process your information to be compliant with local legislation the following will apply in supplement to the Privacy Policy:

-      We generally collect personal information directly from you where this is reasonable and practical, but may also acquire information from other trusted sources to update or supplement the personal information you provided or which we processed automatically.

-      We may also use your personal information to tell you about the products and services of the LEGO Group or third parties. From time to time, we and our LEGO Group entities and business partners may contact you by mail, telephone, email or other electronic messaging services (such as text, voice, sound or image messages including using automated calling systems) with information about products and services (including discounts and special offers). If you no longer wish to receive marketing or promotional information from us and our LEGO Group entities or our partners, you can unsubscribe at any time. There are certain messages relating to the goods and services we provide to you that cannot be unsubscribed from.

-      Should the LEGO Group experience a data breach and your information be involved, we will contact you if there is a risk of serious harm to you and if we are legally obliged to do so. In some instances the LEGO Group will also be legally obliged to contact (data protection) authorities when a breach of privacy information occurs.

We will take such steps that are reasonable in the circumstances (if any) to destroy or de-identify personal information when it is no longer required.

Changes to this Privacy Policy

We may change this Privacy Policy to accommodate new technologies, industry practices, regulatory requirements or for other purposes. We will provide prior notice to users by email and post the information on our online channels if these changes are material and request your consent if legally required.

Third party vendor categories

The LEGO Group works with several trusted partners to secure that we provide you, our business partners and our employees with the best experience possible. This means that we will at times need to allow third parties to process personal data.

To give you an overview we have categorised the type of vendors we use and what we use them for on a category basis.

However, if you wish to know what cookies we are placing on your devices – please look at our detailed third- party cookie list.

We process personal data with vendors in the following categories:

IT Service providers - we use a series of trusted partners world wide to provide us with IT services and system administration services - in regards to both our customer and partner facing activities as well as our internal IT and administration systems.

Global payment provider and processing partners - to secure a safe and efficient payment process both online, in our stores or through invoicing or money transfers.

Cloud storage partners - we store our and your data at secure data centres around the world.

Fraud Prevention and detection partners and agencies – working with the LEGO Group world wide to secure that the LEGO Group is not defrauded.

Warehousing, packing, shipping and delivery partners – helping us get our products into the hands of our customers and business partners around the world.

Catalogue printing and mailing and postal partners - helping us making sure catalogues and magazines come your way.

Marketing partners – to be able to provide targeted and personalise advertisements, promotions and campaigns both when you are interacting with LEGO on our online platforms, on social media, instore or otherwise.

Social Media Partners – to be present and allow you to interact with the LEGO Group on the platforms where you are.

Survey, questionnaires and product review suppliers - helping us secure that we get your all-important feedback of your LEGO® experience!

Tax and customs authorities, regulators and other authorities globally - who require reporting of processing activities in certain circumstances.

Professional advisers -  including lawyers, bankers, auditors and insurers globally, who provide consultancy, banking, legal, insurance and accounting services to the LEGO Group.