This policy governs any kind of processing (including collection, use, transfer, storage and deletion) of personally identifiable information (any information that may be used to identify a physical person, and any other information associated therewith) about natural persons, which are either consumers of LEGO® products or services, or representatives of our cooperation partners (“personal data”), by all business units and entities within the LEGO Group. This policy applies to our processing of personal data collected through any means, actively as well as passively, online as well as offline, from persons located anywhere in the world. Any question regarding our processing of personal data may be directed to:
LEGO SYSTEM A/S
DK-7190 Billund Denmark
Attn: Privacy Officer
or to the company within the LEGO group of companies closest to you. LEGO entities.
Generally, the LEGO Group will be guided by the following principles when processing personal data:
1. We will only collect personal data for specific and specified purposes;
2. We will not collect personal data beyond what is necessary to accomplish those purposes;
3. We will not use personal data for purposes other than that for which the data was collected, except as stated herein, or with prior consent;
4. We will not transfer personal data to third parties or across borders, except as stated herein, or with prior consent;
5. We will seek to verify and/or update personal data periodically, and we will accept requests for amendments of personal data;
6. We will apply high technical standards to make our processing of personal data secure;
7. Except when stated herein, we will not store personal data in identifiable form longer than is necessary to accomplish its purpose, or as is required by law.
The LEGO Group encourages families to visit our LEGO.com sites together as a shared activity.
Transfer of personal data to third parties and/or other countries
As a general principle, we process personal data in order to facilitate or improve the LEGO Group’s offerings and services to you. We do purchase supplementary data from public sources to complement our data bases.
We do not process personal data on behalf of third parties, nor do we sell personal data to, or share personal data with, third parties for their own, independent use, except if you allow us to do so (see LEGO Shop at Home below).
We do share personal data with third party vendors when it is necessary to provide services that we don’t perform ourselves, e.g. shipping of LEGO® products, mailing of LEGO® Club Magazines, etc.
We also use third party data hosting companies to store personal data collected by us in their servers, and to do data validation checks for us (see LEGO ID - Linked Accounts below).
We undertake or commission consumer research projects from time to time and we may share personal data with third party research companies for this purpose. Also, such third party research companies may host survey data in their data bases on our behalf.
All data transfers to third party vendors or partners, including those listed as examples above will be subject to a written contract between us and the third party vendor or partner in question, and the vendor or partner will not have any authority to use such personal data for any purpose other than as instructed by us.
When relevant, personal information may be shared among the business units and entities inside the LEGO Group. LEGO entities.
We will disclose personal data when legally obligated to do so under subpoena or court order, or for law enforcement purposes. For operational security reasons, we process (mirror) personal data in Europe and the United States. This means that all personal data processed by us is transferred between our facilities in Europe and the United States periodically.
Personal data collected online from children under the age of 13
When a child under the age of 13 (or such higher age as may be determined by local law; in the following, the age 13 is used as the common denominator for easy reference) contacts the LEGO Group online, for example to participate in a contest or to ask a question, we will collect that child's email address and the e-mail address of the child's parent or guardian. We will use the child's e-mail address only for the purpose for which it was collected, and we will use the e-mail address of the parents or guardians only to provide notification about the child's contact with us, and to provide notification of the types and uses of personal data collected, if and as required by law.
As a parent or guardian of a child under the age of 13 from whom we have collected personal data, you have the right to review and have deleted such personal data, and to refuse to permit further collection or use of such personal data. To do so, you should contact us by clicking here Parents and guardians who wish to review personal data concerning their children will be required to specify the usernames and passwords of the children concerned, and to provide their own e-mail address for verification and contact purposes.
We cannot and will not establish conditions that will require or encourage children to disclose personal data over and above what is reasonably necessary to participate in any activity features on our web sites.
Children under 13 years of age are allowed to participate in contests. However, if such a child wins, notification will be sent to the parent or guardian's e-mail address (provided by the child when he/she enters the contest). Also, we will not ask the child for any personal data beyond e-mail addresses without obtaining prior parental consent. Any personal data obtained from children and parents during contests will be kept until the contest ends and prizes are delivered, and then it will be deleted.
If any online activity offered by us will allow children under the age of 13 to reveal personal data publicly (for example via un-moderated chat rooms or bulletin boards), we will obtain parental consent before allowing the child to participate. Currently, all such activities are moderated, monitored and/or screened.
Processing of personal data through LEGO® channels
We have introduced one common profile platform (LEGO ID) which is usable across different LEGO online applications. When you have created one LEGO ID for one application, it can be used for other applications as well.
A LEGO ID may be created by children and adults alike, but where an individual younger than 13 signs-up, we will, as a general rule, collect personal data from the parents or legal guardian of the child rather than the child.
In order to create a LEGO ID, we will process personal data such as email address (and a parent or legal guardian email address if the creator is under the age of 13), birthday, country of residence, and gender. We will also require a password and a username to be created.
The email address is used for sending account notifications and other system-related information as needed.
By linking children’s LEGO ID’s with parents or legal guardians LEGO ID’s, we enable more substantial parental control over the child’s online activities. In doing so, however, it is extremely important that we can verify the relationship between the child and the parent or legal guardian to whose LEGO ID the child’s LEGO ID is to be linked.
For this reason, we will process personal data in regards to the parent or legal guardian such as first and last name, mailing address, date of birth and a more reliable type of offline ID number (e.g. driver’s license number or social security number, personal identification number or the like) varying by jurisdiction.
We will transfer these data to an external service provider, which will perform the validation for us. Validation services will be performed under a written contract between us and the service provider.
We will not store personal data collected for the validation in our archives. The result we receive back will be a “match” (in which case the child and the parent or legal guardian LEGO ID’s will be linked) or a “no match” (in which case the LEGO ID’s will not be linked, until and unless an appropriate relationship between the child and the applicant has been established otherwise).
The external service provider will process and store the personal data submitted by us strictly for documentation purposes.
LEGO Shop at Home
When you use our LEGO Shop at Home service online or offline (e.g. ordering online via shop.LEGO.com or via the LEGO Consumer Services Center, via catalogue or otherwise), we will process transaction-related personal data, such as your first and last name, mailing and shipping address, phone number, email address, credit card or other payment information, and (if you have created a [LEGO ID]) your date of birth and gender. We will also process information about your purchases with us.
We will use such personal data to process and deliver your order, to provide notification of order status, and to update your profile periodically to ensure that we have the most accurate personal data available. We will also use said personal data to analyze customer behavior and to customize our LEGO Shop at Home communication with you, if applicable. In this respect, we may transfer tracking information about your use of our sites to external service providers, which will help us optimize your browsing experience. Optimization services will be performed under a written contract between us and any service provider.
If you opt-in (or upon request), we will send you LEGO Shop at Home promotional and marketing emails. These may be targeted to you based on your purchase history or online browsing behaviour.
You may allow us to share your name, address and ordering activity with carefully selected third parties in whose products we believe you might be interested.
LEGO VIP Program
If you are 13 years or older (age limitation may vary by country), you can join our LEGO VIP Program in physical LEGO Brand Retail Stores, online via LEGO Shop at Home, by phone via the LEGO Consumer Services Center, or through LEGO events offered by the VIP program. If you sign up in a store or by phone, you will be required to subsequently visit VIP.LEGO.com/Register to finalize the sign-up process online.
We will process personal data such as your first and last name, address details, phone number, cell phone number (optional), email address, credit card or other payment information, LEGO ID username and password, date of birth and gender. We will also process information about your purchases with us (online and offline), marketing preferences and your use of LEGO.com related websites.
We use your personal data to send you regular email newsletters, to send you marketing offers (if you opt-in) via catalogues, emails and text messages, to analyze customer behavior and to customize our LEGO VIP Program communication with you. We will also use your personal data to update your profile periodically to ensure that we have the most accurate personal data available.
Children can join the LEGO Club. If the child is under the age of 13, we will, as a general rule, collect personal data relevant to the membership from the parents or legal guardian of the child rather than the child. Where the only personal data needed is the email address of the child (e.g. for participation in a contest), we may collect the email address directly from the child, and provide notification to the parents or legal guardian as required by law.
As a member of one of the LEGO Club, the child may receive periodical LEGO Club Magazines, LEGO Club email newsletters, and be able to participate in contests, etc.
When completing a LEGO Club membership application, you consent to the LEGO Club using your child’s information for mailings and emails. The data will be used only for LEGO mailings and will not be sold, rented, or otherwise disclosed to any company outside the LEGO Company except for companies acting as our agents to help us provide services requested by the child.
We will process personal data such as the child’s first and last name, mailing address, gender, date of birth, email address and phone number, as relevant.
LEGO Consumer Service
You may contact our LEGO Consumer Service Center with questions or comments related to the LEGO Group, and our products and services. You may also request replacement parts for your LEGO® sets, request catalogues, etc.
When you contact us, we will process personal data such as age group, your email address, your gender, first and last name, mailing address, phone and/or cell phone number, as relevant.
Your browser settings, such as the type of browser you use and what plug-ins you have installed. This keeps us from bothering you every time you enter the site in order to make sure that you have the necessary equipment to play a game or download information from our sites. It also allows us to know how many people are using certain types of software, so that we can adjust our site to provide the best browsing experience for every visitor. Your language and region choice. This means that if you have once chosen English as a language this is the default language that will be using when you revisits us What games you play, your high scores and your progress in the games – depending on the features of each game. This state is saved in Flash Local Shared Objects a.k.a. Flash cookies.
Your LEGO ID sign-in state.
Your shopping cart and shopping options.
What products you view and buy in the shop so we can provide you with suggestions.
What products and gallery entries you have rated and the rating you have given.
The last time we asked you to participate in a survey and whether you answered it so we do not prompt you too often.
Your movement on and usage of our sites. We do not collect personal data as part of this. We collect statistical data so we can optimize our site.
Recently used data - to improve performance. In case we store personal data in a cookie, the information will be encrypted and thus safe.
Some cookies last until you close your browser, others are stored for longer. Our maximum cookie age is 400 days – as we want to make sure that you can find your information if you only visit us approximately once a year.
We use third party companies as suppliers for some of our functions. Their use of the data is controlled by our contract with them and they are only allowed to use the data strictly for the purpose we have stated .e.g. the data is not used in connection with data from other companies and we are not tracking user behavior outside our own sites.
Most browsers automatically accept cookies. You can prevent cookies from being stored on your computer or device by setting your browser to not accept cookies. Some browsers provide a mode where cookies are always deleted after a visit. This is called InPrivate in Internet Explorer version 8 and newer; Incognito in Google Chrome version 10 and newer; Private Browsing in Firefox version 3.5 and newer; Private Browsing in Safari version 2 and newer and Private Browsing in Opera version 10.5 and newer.
The exact instructions for this can be found in the manual for your browser. You can delete cookies already on your computer or device at any time. If you choose not to accept cookies at all, you can still visit our website, however we cannot guarantee an optimum experience without cookies.
In some cases, a browser is inside another program. This list tells you how you control those:
For LEGO Digital Designer on Mac use Safari.
For LEGO Digital Designer on PC use from Internet Explorer.
For LEGO Mindstorms on Mac and PC simply restart the program.
Review and update of personal data
You may always contact us to review and update personal data we may have stored about you. You may either use the following link or contact our LEGO Consumer Service. Please note that prior to accessing and making changes to your account, we must verify your identity properly. It may take up to 10 business days before changes take effect.
Access to a number of LEGO.com services are protected by access restrictions based on the LEGO ID user name and password. It is important that you always choose a password which is hard to guess for others, and protect your password against disclosure.
All external transmissions of personal data facilitated by us are protected by encryption.
All data storage, at LEGO Group operated computer facilities as well as at business partner facilities, will be subject to written contracts.
Generally, processing of personal data will take place in accordance with applicable legislation and best practices concerning data security.
Credit card information is directed to one or more approved and certified service provider(s), and will not be stored by us for longer than it takes to process the data.
Handling of personal data is controlled by documented policies and procedures, including strict physical and logical access control, security back-up, failover, anti-malware protection, monitoring and vulnerability detection mechanisms.
The LEGO Group may need to change its data processing policy from time to time to keep up with the ways in which we collect, use, transfer, store and/or delete personal data. If policy changes are made, which would materially and adversely affect the privacy of individuals to whom this policy applies, we will endeavor to give notice of such changes to all individuals concerned.
EFFECTIVE DATE: 25th May 2011