Last Modified: November 1st, 2014
For that reason the LEGO Group has applied for a Binding Corporate Rules approval from the European data authorities across the European Union and introducing the European data privacy rights protection as a global standard taking into account national legislation outside the European Union. The Binding Corporate Rules encompasses high standards on collection, use, disclosure and generally of your information. You can read more about Binding Corporate Rules here http://ec.europa.eu/justice/data-protection/document/international-transfers/binding-corporate-rules/index_en.htm.
In addition, the LEGO Group has joined a digital child safety program on protecting children online where the LEGO Group is audited regularly. You can read more about this in our Children´s privacy section.
We hope we have earned your trust and hope you will have a playful experience with the LEGO Group.
1. Our general principles on data collection, use and processing
2. Types of information we collect, use, and process
3. Why and how we collect, use and process your information
4. How we use your information within the LEGO Group companies
5. Sharing your information with other companies
6. Your controls and choices
8. Children’s privacy
9. LEGO employees
10. LEGO partners
11. Data security and integrity
12. Data transfers, storage and processing globally
14. Contact information
1. Our general principles on data processing
To ensure your data is being processed correctly we have adopted the following principles:
- We only collect and process your personal information if we have a legal basis for the processing under applicable laws, for example:
- We have collected your consent,
- It is necessary to fulfil an agreement with you,
- We legally are obliged to do so, or
- We have objective reasons and the processing does not harm you.
- We will however always collect your consent as a parent or legal guardian if your child under 13 years is providing personal information online.
- We will always inform you of the processing and the purpose of the processing, unless, and only in special cases, we have a legitimate basis not to do so.
- We only process your personal information for the original purpose or for other purposes that are not incompatible with the original purpose.
- We do not disclose your personal information to other persons or companies outside the LEGO Group unless you have given us your consent, unless we have an agreement with you or unless we are legally obliged to do so.
- We strive to verify and update your privacy information on a regular basis.
- We might supplement your personal information with information from other databases to ensure that your data is correct and up to date.
- We use high technical standards to protect your personal information.
- We do not store your personal information longer than what is necessary to serve the purposes for which the personal information was collected or further processed.
2. Types of information we process
We process two basic types of information – personal information and anonymous information.
We will collect your personal information when you engage with us on our different channels where you will be presented with specific terms that tell you what specific data, if any, is collected and for which purpose. We highly recommend that you read the specific terms on our channels carefully before accepting our terms. Our different channels at the moment are:
LEGO ID https://account.lego.com/
LEGO Shop http://shop.lego.com/
LEGO VIP http://shop.lego.com/VIP
LEGO CLUB http://www.lego.com/club
LEGO IDEAS http://www.lego.com/ideas
LEGO REBRICK http://rebrick.lego.com/
LEGO DUPLO http://www.lego.com/duplo
LEGO CUSTOMER SERVICE http://service.lego.com/
LEGO app stores (Apple iTunes store, Google Play store etc.)
LEGO Social media sites (Facebook, Twitter, YouTube etc.)
However, in general we typically process the following categories of personal information:
• Registration information you provide when you create an account in one of our channels, including your first name and surname, country of residence, gender, date of birth, email address, username and password.
• Transaction information you provide when you request information or purchase a product or service from us, whether on our sites or through our applications, including your postal address, telephone number and payment information (such as credit card number).
• Information you provide in public forums on our sites, channels and applications.
• Information sent either one-to-one or within a limited group using our message, chat, post or similar functionality, where we are permitted by law to process this personal information.
• Information you provide to us when you use our sites, channels and applications, our applications on third-party sites or platforms such as social networking sites, or link your profile on a third-party site or platform with your registration account.
• Location information when you visit our sites, channels or applications, including location information either provided by a mobile device interacting with one of our sites, channels or applications, or associated with your IP address, where we are permitted by law to process this information.
• Usage, viewing and technical data, including your device identifier or IP address, when you visit our sites, use our applications on third-party sites or platforms or open emails we send.
3. Why and how we process your personal information
By “processing” we collect, use, disclose, store and at some point delete your data.
• We process your personal information and anonymous information for the purpose of running our daily business and delivering LEGO experiences. In other words you give us your data and so that we can run our business and give you LEGO experiences online and offline.
• We acquire information from other trusted sources to update or supplement the personal information you provided or which we processed automatically.
4. How we use your information within the LEGO Group companies
The LEGO Group is based in Billund, Denmark, but we have subsidiaries and branches throughout the world. You can learn more about the LEGO Group and its subsidiaries here http://www.lego.com/aboutus/lego-group/locations. The primary data controller will be LEGO System A/S, Aastvej 1, 7190 Billund, Denmark. Other subsidiaries of the LEGO Group may have access to your information where they perform services on behalf of the data controller (as a data processor) and, unless prohibited under applicable law, for use on their own behalf (as a data controller) for the following purposes:
• Provide you with the products and services you request.
• Communicate with you about your account or transactions with us and send you information about features on our sites and applications or changes to our policies.
• Send you newsletters if you sign up to receive them, you may opt-out at any time by following the unsubscribe instructions located at the bottom of each communication.
• Process LEGO Partner information where the local LEGO subsidiary is the formal contract partner.
• Detect, investigate and prevent activities that may violate our policies or be illegal.
Public Forums and Chat Features
You should be aware that any personal information you choose to share within public forums or chat features offered on the site may be read, collected and used by others who access them. To request removal of your personal information from publically available areas of the site, contact us at firstname.lastname@example.org. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. Please note that users under 13 may not use these areas of the site until consent has been provided by their parent or legal guardian.
Please note that within some of our games you are able to use our friend finder tool so that you may connect and play games with friends. Please note that no personal information will ever be shared between users who are known to be under the age of 13.
Social Media (Features) and Widgets
5. Sharing your information with other companies
We will not share your personal information outside the LEGO Group except in limited circumstances such as:
• To ensure the safety and security of our consumers and third parties.
• To protect our rights and property and of our consumers and third parties.
• To comply with legal process or in other cases if we believe that disclosure is required by law, such as to comply with a subpoena or similar legal process.
• When companies perform services on our behalf, like package delivery, payment processing, and customer service; however, these companies are prohibited from using your personal information for purposes other than those clearly defined by us or required by law and we have written contracts in place to ensure this.
• When we share personal information with third parties in connection with a merger, acqusition, or sale of all or a portion of our assets. You will be notified via email and/or prominent notice on our Web site of any change in ownership or uses of your personal information, as well as any choices you have regarding your personal information.
• Where you provide your consent to share your personal information with another company for marketing purposes enabling them to send you offers and promotions about their products and services. If you no longer wish to allow us to share such information with third parties, please contact us at http://service.lego.com/contactus to opt-out. In some instances you may need to contact that third party directly.
• When you ask us to share your personal information with third-party sites or platforms, such as social networking sites. Please note that once we share your personal information for marketing purposes with another company, the information received by the other company becomes subject to the other company’s privacy practices.
6. Your controls and choices
We provide you the possibility to exercise certain controls and choices regarding our processing of your information which includes:
• You may correct, update and delete your registration account.
• You may change your choices for subscriptions, newsletters and alerts.
• You may choose whether to receive offers and promotions from us for our products and services, or products and services that we think may be of interest to you.
• You may choose whether we may share your personal information with other companies so they can send you offers and promotions about their products and services.
• You may request access to the personal information we hold about you and that we amend or delete it and we request third parties with whom we have shared the information with to do the same.
You may exercise your controls and choices, or request access or deletion of innacuracies to your personal information, by visiting your account(s) or contacting LEGO Consumer Services at http://service.lego.com/contactus. If you contact us through LEGO Consumer Services we will have to verify your identity for security purposes. Changes may take up till 10 days before they are active. Please be aware that if you do not allow us to process personal information from you, we may not be able to deliver certain products and services to you, and some of our services may not be able to take account of your interests and preferences. If you have questions regarding the specific personal information about you that we process or retain, please contact LEGO Consumer Services.
We will retain your information for as long as your account is active or as needed to provide services. If you wish to cancel your account or request that we no longer use your information to provide you services contact us at http://service.lego.com/contactus. We will retain and use your information as necessary to comply with our legal obligations, resolve disuptes, and enforce our agreements.
As true of most Web sites, we gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), reffering/exit pages, operating system, date/time stamp, and/or clickstream data. We do not link this automatically collected information to other information we collect about you.
Technologies such as: cookies, beacons, scripts and tags are used by LEGO and our third party tracking utility partners and service providers. These technologies are used in analyzing trends, adminsitering the site, tracking users’ movements througout the site, and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual and aggregate basis.
8. Children’s privacy
We recognize the need to provide further privacy protections with respect to personal information we may process from children on our sites, channels and applications. Some of the features on our sites, channels and applications are age-gated so that they are not available for use by children, and we do not knowingly collect, use, or process personal information from children in connection with those features. When we intend to process personal information from children, we take additional steps to protect children’s privacy, including:
• Notifying parents about our information practices with regard to children, including explaining the types of personal information we may collect, use and process from children, the use we make of that personal information, and whether and with whom we may share that information
• In accordance with applicable law, obtaining consent from parents for the collection, use and processing of personal information from their children, or for sending information about our products and services directly to their children
• Limiting our collection, use and processing of personal information from children to no more than is reasonably necessary to participate in an online activity
• Giving parents access or the ability to request access to personal information we have collected, used or processed from their children and the ability to request that the personal information be changed or deleted
For children in the age group of 13 to 18 years we follow applicable laws.
A. The Information we collect from children, how we use it, and how and when we communicate with parents
The LEGO Group offers to its users a range of sites, channels and applications, some of which are primarily targeted at families with users of all ages and others which are targeted at children. Our sites, channels and applications offer a variety of activities, including activities that may include collection of information from children. Below we summarize potential instances of collection and outline how and when we will provide parental notice and/or seek parental consent. In any instance that we collect personal information from a child, we will retain that information only so long as reasonably necessary to fulfil the activity request or allow the child to continue to participate in the activity, and ensure the security of our users and our services, or as required by law. In the event we discover we have collected information from a child in a manner inconsistent with COPPA’s requirements, we will either delete the information or immediately seek the parent’s consent for that collection.
Children can, in many cases, register with our sites and applications to view content, play games, participate in contests, and engage in special features, among other things. During the registration process, we may ask the child to provide certain information for notification and security purposes, including a parent or guardian’s email address, the child’s first name and gender, the child’s member or account username, and password. We may also ask for birth dates from children to validate their ages. We strongly advise children never to provide any personal information in their usernames.
Please note that children can choose whether to share their information with us, but certain features cannot function without it. As a result, children may not be able to access certain features if required information has not been provided. We will not require a child to provide more information than is reasonably necessary in order to participate in an online activity.
About the collection of parent email address: Consistent with the requirements of COPPA, on any child-targeted site or application, or in any instance where we ask for age and determine the user is age 12 or under, we will ask for a parent or guardian email address before we collect any personal information from the child. If you believe your child is participating in an activity that collects personal information and you or another parent/guardian have NOT received an email providing notice or seeking your consent, please feel free to contact us at Data Privacy Officer email@example.com. We will not use parent emails provided for parental consent purposes for marketing directed towards the parent, unless the parent has expressly opted in to email marketing or has separately participated in an activity that allows for such email contact.
Content generated by a child
Certain activities on our sites, channels and applications allow children to create or handle content and save it with the LEGO Group. Some of these activities do not require children to provide any personal information and therefore may not result in notice to the parent or require parental consent. If an activity potentially allows a child to insert personal information in their created content, we will either pre-screen the submission to delete any personal information, or we will seek a parental consent by email for the collection. Examples of created content that may include personal information are:
– stories or other open-text fields,
– drawings that allow text or free-hand entry of information,
– pictures of your child,
– audio or movie files representing your child, and
– other persistent identifiers that can be used to clearly identify your child.
If, in addition to collecting content that includes personal information, the LEGO Group also plans to post the content publicly or share it with a third party for the third party’s own use, we will obtain a higher level of parental consent (verifiable parental consent)
Parental consent mechanisms:
Email consent (low level consent):
In the event the LEGO Group wishes to collect personal information from a child, COPPA requires that we first seek a parent or guardian’s consent by email. In the email we will explain what information we are collecting, how we plan to use it, how the parent can provide consent, and how the parent can revoke consent. If we do not receive parental consent within a reasonable time, we will delete the parent contact information and any other personal information collected from the child collected for the purpose of contacting you.
Verifiable consent (high level consent):
In the event the LEGO Group collects personal information from a child that will be posted publicly or disclosed to a third party, we will seek a higher level of consent than email consent. Such “high-level” methods of consent include but are not limited to asking for a credit card or other payment method for verification (with a nominal charge involved), speaking to a trained customer service representative by telephone or video chat, or requiring a signed consent form by mail, email attachment, or fax. After providing high-level consent, a parent may have the opportunity to use a pin or password in future communications as a way to confirm the parent’s identity.
Contests and sweepstakes
For contests and sweepstakes, we typically require only the personal information necessary for a child to participate, such as first name (to distinguish among family members) and parent email address (to notify the parent where required by law). We only contact the parent for more personalized information for prize-fulfilment purposes when the child wins the contest or sweepstake.
Of course, some contests and sweepstakes ask the child to submit their own created content along with the child’s entry. In those instances, we may require parental consent prior to submission. Please see content generated by a child above for more information on our collection, notice, and consent policies. Parent’s will be sent a notice along with instructions on how they may provide their consent for their child to particiapate in such activities via email (sent to the email address on file for the parent). We will not allow your child to participate in such activities until we have received your consent for them to do so.
Email contact with a child
On occasion, in order to respond to a question or request from a child, the LEGO Group may need to ask for the child’s online contact information, such as an email address. The LEGO Group will delete this information immediately after responding to the question or request.
In connection with certain activities or services, we may collect a child’s online contact information, such as an email address which is collected from the parent, in order to communicate with the child more than once. In such instances we will retain the child’s online contact information to honour the request and for no other purpose such as marketing. One example would be a newsletter that provides occasional updates about a site, game/activity, television show, personality/character, or feature movie. Whenever we collect a child’s online contact information for ongoing communications, we will simultaneously require a parent email address in order to notify the parent about the collection and use of the child’s information, as well as to provide the parent an opportunity to prevent further contact with the child. On some occasions a child may be engaged in more than one ongoing communication, and a parent may be required to “opt-out” of each communication individually. Parent’s may opt their child out from receving these types of communications by following the unsubscribe instructions located within each communication or by emailing us at http://service.lego.com/contactus.
Push notifications are notifications on mobile and other devices that are typically associated with downloaded applications, and which can communicate to the device holder even when the application is not in use. We will require a child to provide a parent email address before the child can receive push notifications from our child-directed applications that collect a device identifier. We will then provide the parent with notice of our contact with the child and will provide the parent the opportunity to prevent further notifications. Finally, we will not associate the device identifier with other personal information without contacting the parent to get consent. If you no longer wish to allow your child to receive these types of communications, you may turn them off at the device level.
If a child-directed site, channel or application collects information on children´s geographical location (geolocation information) on street name, address or coordinates we will first seek parental consent via email. This also means that we will in some instances collect data on children´s geolocation information where parental consent is not required i.e. information not linked to the specific child in regards to city, country and region. In order to request that we no longer collect such information you may turn this off at the device level in the settings or by contacting us at http://service.lego.com/contactus.
• provide children with access to features and activities on our sites and applications
• customize content and improve our sites and applications
• conduct research and analysis to address the performance of our sites and applications
• generate anonymous reporting for use by the LEGO Group
In the event we collect (or allow others to collect) such information from children on our sites and applications for other purposes, we will notify parents and obtain consent prior to such collection
B. When information collected from children is made available to others
In addition to those rare instances where a child’s personal information is posted publicly (after receiving high-level parental consent), we also may share or disclose personal information collected from children in a limited number of instances, including the following:
• We may share information with our service providers like software solutions, online security, and customer service; however, these companies are prohibited from using your personal information for purposes other than those clearly defined by us or required by law and we have written contracts in place to ensure this.
• We may disclose personal information if permitted or required by law, for example, in response to a court order or a subpoena. To the extent permitted by applicable law, we also may disclose personal information collected from children (i) in response to a law enforcement or public agency’s (including schools or children services) request; (ii) if we believe disclosure may prevent the instigation of a crime, facilitate an investigation related to public safety or protect the safety of a child using our sites or applications; (iii) to protect the security or integrity of our sites, applications, and other technology, as well as the technology of our service providers; or (iv) enable us to take precautions against liability.
• Parents have the right to consent to the collection, use and processing of their childs personal information without also having to consent to the disclosure of that information to third parties as we do not share information with third parties other than as disclosed above.
Parental choices and controls
At any time, parents can refuse to permit us to use and collect further personal information from their children in association with a particular account, and can request that we delete from our records the personal information we have collected in connection with that account. Please keep in mind that a request to delete records may lead to a termination of an account, membership, or other service.
Where a child has registered for a LEGO ID account, we use two methods to allow parents to access, change, or delete the personally identifiable information that we have collected from their children:
1.Parents can request access to and delete their child’s personal information by logging on to the child’s
account through the https://account.lego.com site located here. Parents will need their child’s username and password.
The https://account.lego.com site home page explains how to recover a password if the child cannot recall it.
2.Parents can contact Consumer Services to request access to, change, or delete their child’s personal
information by clicking here http://service.lego.com/contactus.
Any other inquiries may be directed to:
LEGO System A/S
In any correspondence such as e-mail or mail, please include the child’s username and the parent’s email address and telephone number. To protect children’s privacy and security, we will take reasonable steps to help verify a parent’s identity before granting access to any personal information.
We will retain your child’s information for as long as their account is active or as needed to provide them services. If you wish to cancel your child’s account or request that we no longer use that information to provide them services, please contact us at http://service.lego.com/contactus.We will retain and use their information as necesasry to comply with our legal obligations, resolve disputes, and enforce our agreements.
If we make material changes to how we use Personal Information collected from children under age 13, we will notify parents by email in order to obtain verifiable parental consent for the new uses of the child’s Personal Information.
9. Employees at the LEGO Group
Whether you are an employee or applying for a job at the LEGO Group we will process specific information relevant for your employment and application. The principles in sect. 1 will also apply to your employment or application.
10. LEGO Partners
We define LEGO Partners as other companies doing business with the LEGO Group. As a LEGO Partner we will process information on your company and in relation to the transactions for the purpose of administering our collaboration and for evaluation purposes.
11. Data security and integrity
The security, integrity and confidentiality of your information are extremely important to us. We have implemented technical, administrative and physical security measures that are designed to protect personal information from unauthorized access, disclosure, use and modification. However you also play an important part in protection your information. It is important that you do choose a password that is not easy for others to guess and that you do not share your passwords.
From time to time, we review our security procedures to consider appropriate new technology and methods. All external transfers that contain personal information are done using encrypted technology. Please be aware though that, despite our best efforts, no security measures are perfect or impenetrable.
Information in regards to credit card details is handled by approved service providers that are in compliance with the PCI (Payment Card Industry) standards and have appropriate safeguards setup.
Should you notice any flaws or concerns in our security please do not hesitate and contact us http://service.lego.com/.
Should the LEGO Group experience a data breach and your information be involved, we will contact you if there is a risk of your data being misused and if we are legally obliged to do so. In some instances the LEGO Group will also be legally obliged to contact (data protection) authorities when a breach of privacy information occurs.
12. Data transfers, storage and processing globally
The Binding Corporate Rules provide the highest security to you when it comes to how your information is processed.
14. Contact information
In your request, please specify your identity and the subsidiary of the LEGO Group of companies to which your request pertains. If no LEGO Subsidiary is specified, we will treat your request as pertaining to LEGO System A/S.
Our sites and applications may contain links to other sites not owned or controlled by us and we are not responsible for the privacy practices of those sites. We encourage you to be aware when you leave our sites or applications and to read the privacy policies of other sites that may process your personal information.