Data protection declaration

The Data Controller for data processing at Heide Park and via the website heide-park.de is:

Heide-Park Soltau GmbH

Heide Park 129614 Soltau

Phone: 01806 - 91 91 01

(€0.20/call from a landline, mobile max. €0.60/call)

E-mail: info@heide-park.de

Heide-Park Soltau GmbH is a subsidiary of Merlin Entertainments Limited (“Merlin”), an entertainment company headquartered in the United Kingdom, with its registered office at Link House, 25 West Street, Poole, BH15 1LD. Merlin operates over 100 attractions and 20 hotels and resort villages in 30 countries. Our business is about creating unique, memorable and rewarding visitor experiences. A list of our attractions and a note of the companies that make up the Merlin group which help to achieve this is available HERE (“Merlin Group”).

The entity in the Merlin Group which was originally responsible for collecting information about you will be the Data Controller. Other entities in the Merlin Group may also be Data Controllers where they control the use or processing of such data. If you are visiting other websites of the Merlin Group, data may be collected, and other companies may be responsible for data protection in line with their privacy notices available on their websites. We will inform you any time that we at Heide Park jointly processes your personal data with another company in the Merlin group.

There is a single point of contact for all Data Controllers within the Merlin Group, whose contact details are set out in section 2.

The primary point of contact for all questions related to this Notice is the Merlin Data Protection Team:

Data.Protection@merlinentertainments.biz

You can reach the external data protection officer of Heide-Park Soltau GmbH directly at the following address:

Personal / Confidential - Daniela Schott c/o intersoft consulting services AGBeim Strohhause 1720097 Hamburg

E-mail: dschott@intersoft-consulting.de

You can submit a request to exercise your rights as a Data Subject completing the form available at the following link:

Merlin Data Subject Request Form

3.1 WHEN do we collect Personal Data?

As a matter of principle, we process your personal data only insofar as this is necessary for the provision of our services as well as our online offers and content.

We collect personal data directly from you when you browse the website of one of our attractions, when you sign up for a newsletter there, when you use one of our apps, when you purchase an admission ticket or an annual pass, when you make a booking by phone, when you visit our attractions (CCTV) or log into the Wi-Fi of one of our attractions, when you visit our online shop and make a purchase there, when you book a stay at one of our hotels, you participate in a survey or competition, or contact us with questions and suggestions, etc.

In particular, we would like to draw your attention to the following data collections:

When you visit our online shop, we collect personal data in order to be able to offer you the service, to make your shopping experience as pleasant as possible, to suggest interesting products, to better understand user behaviour, to improve our offer and for security reasons.

With your consent, we will record telephone calls to record your consent to receive promotional materials.

When you use our App, we collect personal data so that we can provide you with the App Service and related features, to improve the functions and features of the App, to prevent misuse and troubleshoot, and to provide you with a personalized visitor experience.

If someone has registered for a family annual pass or participated in a competition on your behalf, the information about you will be passed on to us via the respective family member or third party.

We may also receive some personal data about you indirectly, such as family members or legal guardians, promotional partners, payment providers, third party merchants, etc..  For example, if someone has registered for a family annual pass or participated in a competition on your behalf, the information about you will be passed on to us via the respective family member or third party.

We never knowingly collect personal information from children for marketing purposes without making it clear that such information may only be provided with parental consent, where required by applicable law. Merlin therefore uses children's data only to the extent permitted by law and only if the parents or guardians have given their consent.

3.2 WHAT Personal Data do we collect?

We may collect the following information from prospective, past and current Customers, and visitors to our attractions and this website ("Customers"):

Personal master data : name, address, date of birth, telephone number, e-mail address (in the context of ticket purchase or shipping)

Weblogs and usage data: technical information about visits to our website (IP address, URL of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, device data such as browser type and version, language setting, screen resolution, the user's operating system, referrer URL (= the previously visited page), the requesting provider), website histories, frequency of visits, user behaviour on the website.

Cookies: For more information about cookies, please refer to our Cookie Statement.

Engagement Details including your purchase history and attraction visit history.

Marketing Preferences: Your marketing preferences including interests, listings, permissions for and objections to advertising, website data, online identifiers such as advertising IDs. For more information on this, please also refer to our separate Cookie Statement.

Information in form fields: Information that you provide by filling in forms on our website. This includes information provided when you register on our website, subscribe to our services, send you materials or request additional services. We also ask for information if you want to report a problem with our website.

Content of contact requests: If you contact us about a problem or concern, we will record the content of the respective contact in order to be able to process your request.

Survey Data: Information you provide in a voluntary survey regarding services received or your experience at an attraction.

Transaction Data: Information about transactions you carry out through our website and/or when you make bookings, including credit or debit card details.

Booking data: your name, address, telephone number and e-mail address, your Customer number, in order to send you booking confirmations or, if necessary, to let us know that we need to contact you urgently about your booking.

Purchase and visit history: your name, your Customer number, your purchases, your visit data.

Physical security records:

Physical security records: CCTV is used for safety and security monitoring.

3.3 What PURPOSES do we USE your personal data for and what is the LEGAL BASIS?

We will use your personal data to:

• ensure that content from our site is presented in the most effective manner for you and for your computer.
• provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
• carry out our obligations arising from any contracts entered into between you and us.
• allow you to participate in interactive features of our service, when you choose to do so.
• notify you about changes to our service.

We may also send you marketing materials as explained in more detail below under Section 8. This process is likely to include Profiling, you will find more information about Profiling is provided at Section 7 of this Privacy Notice.

We will also need to use your personal data for purposes associated with our legal and regulatory obligations in relation to health and safety when you visit one of our attractions (in particular when assessing restricted space requirements for wheelchair users or if there is an incident at one of our attractions) and in relation to consumer protection requirements or taxation purposes (for example to respond to any queries in relation to advertising standards and to ensure we accurately report on visitor numbers and/or revenue).

We have to establish a legal ground to use your personal data, so we will make sure that we only use your personal data for the purposes set out in this Section 3.3 and in Appendix 1 where we are satisfied that:

• our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to manage your booking for entry tickets to an attraction), or
• our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we are subject to (e.g. to comply with Supervisor Body requirements), or
• our use of your personal data is necessary to support 'Legitimate Interests' that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is always carried out in a way that is proportionate, and that respects your privacy rights. Where required under separate local laws, we will also ensure that you have opted in to send you marketing materials - see Section 8 below for more details. Please see Appendix 1 for more details about our Legitimate Interests.

Before collecting and/or using any Special Categories of data we will establish an additional lawful ground to those set out above which will allow us to use that information. This additional exemption will typically be:

1. your explicit consent;
2. the establishment, exercise or defence by us or third parties of legal claims; or
3. a specific exemption provided under local laws of EU Member States and other countries implementing the GDPR.

3.4 What are YOUR RIGHTS?

In connection with the processing of your personal data, you have the following rights:

1. To request confirmation as to whether personal data concerning you is being processed by us. If this is the case, we will be happy to provide you with information about this personal data and the information listed in Art. 15 GDPR.
2. To rectification (Art. 16 GDPR),
3. To restriction of processing (Art. 18 GDPR),
4. To erasure (Art. 17 GDPR),
5. To data portability (Art. 20 GDPR) under the respective legal requirements.
6. To object to the processing under the legal requirements (Art. 21 GDPR).

Without prejudice to these rights above and the possibility of pursuing any other administrative or judicial remedy, you have the right  to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, at any time, if you consider that the processing of your personal data is contrary to the data protection regulations (Art. 77 GDPR).

In the following, we briefly explain the scope of each right:

3.4.1 Table of Data Subject Rights

3.4.2        Exercising your rights

In order to exercise your rights, you can contact us using the data listed in section 2. Please note the following:

Proof of identity. If there is any doubt about your identity in an enquiry, we are obliged to ask for proof of identity.

Respites. We aim to respond to all legitimate requests within one month. If a request is particularly complicated or you have made several requests, it may be necessary to extend this period to three months. We will let you know within one month if it takes more than one month to process your request. In case of doubt, we will ask you to explain your request to us in more detail. This will help us process your request more quickly.

Exceptions. National laws may introduce further exceptions to the right of access. For example, under the laws of the United Kingdom, you may not be provided with information in certain circumstances because the information in question is subject to a duty of confidentiality. According to German law (according to § 34 BGDS), the right to information does not apply in particular if the data is only stored in order to fulfil statutory or statutory retention obligations or exclusively for the purposes of data backup and data protection control and the provision of information would require a disproportionately large effort and processing for other purposes is excluded by suitable technical and organisational measures.

CONSENT MANAGEMENT ON THE WEBSITE: You can set your cookie preferences at any time while navigating the Heide Park website by accessing the Consent Management Tool available at the bottom of each page by clicking on this icon:

Heide Park needs to communicate the Personal Data collected to third parties to pursue the purposes for which Personal Data is processed under the Legal Bases listed in Appendix 1.

Personal Data is shared with third parties to enable the administration of our business and the provision of services. These third parties need to access your personal data from time to time.

You can get a list of all these entities to whom we communicate Personal Data by reaching out to the Data Protection team at the contacts provided above in Section 2.

4.1        Service Providers

Insofar as our Service Providers come into contact with your personal data, we oblige them to treat Personal Data confidentially and only for the agreed purpose and to ensure that they comply with the provisions of data protection laws and maintain the data protection standards that are equal to those at Merlin. We conclude data processing agreements (DPA) with every provider, this is a contract prescribed by data protection law, which ensures that the provider only processes the personal data in accordance with our instructions and in compliance with the GDPR. Please take note of the respective privacy notices of the providers. each respective Service Provider is responsible for the content of its third-party services.

These include Service Providers who maintain our IT and background systems and support our Customer relationship management activities, Legal and other Service Providers (including auditors)

4.2 Supervisory Authorities

We might need to share Personal Data with Supervisory Authorities, including the German data protection supervisory authorities, as well as other supervisory and law enforcement authorities in EU countries and worldwide.

4.3 Merlin Group

Heide Park is part of the Merlin Group, so if necessary for the purposes we collected the data, it may disclose personal data to other companies in the Group or company branches, companies resulting from possible mergers, demergers, or other transformations of Heide Park.

Your personal data may be made available to Merlin employees, temporary staff, workers and contractors, and agencies, investors and suppliers in the course of providing our services. Your personal data may be shared with any company that is a member of our group, where we have a lawful basis upon which to do so for example internal administrative purposes, corporate strategy, auditing and monitoring. We may also share your personal information with our group companies where they provide products and services to us, such as information technology systems, health and safety monitoring, security services and human resources services. Access to your personal information is limited to those employees who need to know the personal data.

In the case of the transfer of personal data or the granting of access to such data within the Merlin Group for internal administrative purposes, the disclosure of the data is based on our legitimate entrepreneurial and business interests, Art. 6 para. 1 sentence 1 lit. f GDPR.

Transfer of your personal data within the Merlin group is regulated by our intra-group data transfer agreement.

Also, in the event of a sale of parts of our company, we would have to pass on your personal data to the buyer.

Merlin is a global group and may transfer the personal data we collect about you internationally to our Group companies or third parties, so long as there is a lawful basis for doing. For transfers between Merlin group entities an intragroup agreement is in place. In certain limited circumstances we may seek your explicit consent to send your personal data. Before sending your personal data internationally, we will ensure that appropriate safeguards are in place to protect your data and that all transfers are carried out in compliance with your rights and interests.

When selecting our Service Providers and partners, we take great care to ensure that data processing preferably takes place in the European Union. However, this is not possible in all cases.

Within the scope of the purposes for which we process data and in connection with the location, in particular of the servers, of Group companies or third parties, data may also be transferred outside the EU/EEA.

If and to the extent that data is transferred to third countries, we ensure that an adequate level of data protection is guaranteed in respect of the recipient before the transfer of your personal data.

A transfer to a third country will only take place if:

• the country where the recipient is located is recognised as providing an adequate level of legal protection and has received an adequacy decision in terms of Art. 45 of the GDPR;
• the recipient offers sufficient, appropriate or suitable safeguards for the protection of personal data in accordance with Art. 46 of the GDPR. Guarantees within the meaning of Art. 46 of the GDPR may be standard contractual clauses of the EU Commission. In doing so, the recipient assures that personal data will be adequately protected and that a level of data protection comparable to that provided under the GDPR will be ensured, including by implementing additional technical and organizational measures.
• it is in compliance with the provisions of Art. 49 GDPR.

You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 2 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).

As a matter of principle, we only store your personal data for as long as the purpose for which it was collected requires. Thereafter, the data will either be deleted or – in case of statutory retention periods to which we are subject or an overriding Legitimate Interests conflicting with the erasure – the data will be masked and blocked for any other use. This applies, for example, to data that must be retained for commercial or tax law reasons, such as invoice data or other document data.  

'Automated Decision Making' refers to a decision which is taken through the automated processing of your personal data alone - this means processing using, for example, software code or an algorithm, which does not involve any human intervention.

We do not use automated decision-making within the meaning of Art. 21 GDPR, but we do maintain profiling through automated processes in order to tailor advertising measures to a specific Customer.

If you are a Customer who has signed up to receive marketing updates, we may use profiling to tailor the promotional materials to your interests and to content that we think may interest you. In special circumstances, certain inferences may be drawn about you as a result of profiling, which may be among the Special Categories of your personal data. However, we will only do this if we have received your explicit consent to do so., In any case, you will always be free to withdraw your consent whenever you want.

8.1 Direct marketing by post, email, telephone

We want to be able to get in touch with our Customers, for this reason, we use postal mailings, e-mails and your phone number or social media profile to address you as a Customer.

Direct marketing by post will take place on the basis of our Legitimate Interest in advertising and publicizing our products and services until your objection, Art. 6 para. 1 sentence 1.lit f GDPR. You have the right to object to this use of your data. We will then no longer send you advertising mailings in the future. To object, it is sufficient to send an informal e-mail to data.protection@merlinentertainments.biz or an informal letter to the following address: 1. address mentioned.

According to § 7 para. 3 UWG, it is permitted to advertise further own goods or services by e-mail within the framework of existing Customer relationships, without the consent of the person concerned being required. This assumes that we have received your e-mail address in connection with the sale of a product or service, that we advertise our own similar goods or services, that you, as a Data Subject, have not previously objected to receiving advertising, and that you are made aware of this when the e-mail address is collected and each time you use it that you can object to this use of your e-mail address at any time without incurring any costs other than the transmission costs according to the basic tariffs. You will therefore find an "unsubscribe link" in each of our emails to you, which you can use to opt-out of receiving such advertising, and a reference to this Privacy Notice.

We will only contact you by telephone for direct marketing purposes subject to your explicit consent.

8.2 Newsletter

8.2.1 Newsletter Subscription

You can subscribe to various newsletters on our websites, with which we inform you about our company's activities, current information about our services, special offers, promotions and events. The content of the individual newsletter will be briefly described as part of the registration process.

The legal basis for sending the respective newsletter is your consent, Art. 6 para. 1 sentence 1 lit. a GDPR or, without your explicit consent, only if all the requirements of the legal permission according to § 7 para. 3 UWG are met.

To subscribe to our newsletters, we use the so-called double opt-in procedure. This means that after you have registered, we will send you an e-mail to the e-mail address provided, in which we will ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration, your information will be automatically deleted after 4 days. Data of people who unsubscribe will be completely deleted after 30 days.

The only mandatory information for sending the newsletter is your e-mail address. The provision of further data is voluntary: this data will be used to address you personally.

After your confirmation, we will store your e-mail address for the purpose of sending you the newsletter and until revoked. We also store your current IP address at the time of registration, the time of registration (timestamp) and the confirmation for up to three years after registration (statute of limitations). The purpose of this procedure is to be able to prove your registration in case of doubt and, if necessary, to clarify any misuse of your personal data.

The legal basis for logging the registration is our Legitimate Interest in proving a given consent in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, see also Art. 7 para. 1 GDPR.

8.2.2 Shipping Service Providers

The newsletter is sent via our Service Provider.

In order to ensure the level of data protection, a data processing agreement is in place with the shipping Service Provider in accordance with Art. 28 para. 3 sentence 1 GDPR.

For the purpose of optimising its own services, e.g. for the technical organisation of dispatch and for optimising the presentation or for statistical purposes, the shipping Service Provider may use the data of Data Subjects exclusively in pseudonymous form, i.e. no assignment to a user is made within the scope of this processing. Under no circumstances will the shipping Service Provider use the data to contact you itself. Your personal data will not be passed on to third parties by the shipping Service Provider.

The legal basis for the data processing described is our Legitimate Interest in accordance with Art. 6 para. 1 sentence 1 f GDPR in the optimization of our business processes and the promotion of our business purposes.

8.2.3 Newsletter Tracking

We would like to point out that when the newsletter is sent, your user behaviour will be evaluated. The e-mails in question contain so-called web beacons or tracking pixels, which are retrieved from our server or the server of our Service Provider when the newsletter is opened.

For the evaluations, we link the web beacons to the e-mail address and an individual ID. Links received in the newsletter also contain this ID. We use the data obtained in this way to create target group-specific user profiles in order to tailor the newsletter to your respective interests. In doing so, we record when our newsletters are read, and which links are clicked on and infer your personal interests from this.

Our Service Provider allows us to divide newsletter recipients according to different categories (so-called tagging). The newsletter recipients can be divided according to gender, personal preferences or Customer relationship (e.g. Customer or potential Customer). In this way, the newsletters can be better adapted to the respective target groups.

The legal basis for newsletter measurement and evaluation is our Legitimate Interest in measuring the reach and success of our newsletters.

The data you provide to us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from our servers as well as from the servers of our Service Provider after you unsubscribe from the newsletter.

8.2.4 Possibility of objection/revocation of consent

You can revoke your consent to receive the newsletter at any time:

• by clicking on the link provided in each newsletter e-mail,
• by sending an e-mail to our address, or
• by sending a message to protection@merlinentertainments.biz.

If you do not wish the newsletter to be analysed as described in 8.2.3, you must unsubscribe from the newsletter in question. For this purpose, we provide a corresponding link in every newsletter message. In addition, the described tracking is not possible if you have deactivated the display of images in your e-mail program by default. In this case, the newsletter will not be displayed in full, and you may not be able to use all its features. If you choose to view the images manually, the above tracking will take place.

Type and purposes of processing

Personal data is collected by us when you voluntarily provide it to us, for example when you contact us. The personal data transmitted to us in this way will of course only be used for the purpose for which you provide it to us when you contact us.

The provision of this information is voluntary and, in these cases, initiated by you. To the extent that this involves information about communication channels (e.g. e-mail address, telephone number), we will use these channels to contact you in accordance with your request.

The purpose of processing your data is to process and respond to your request.

Legal basis

The legal basis for the processing of the data that you transmit to us in the course of contacting us is Art. 6 para. 1 sentence 1 lit. f GDPR. The purposes described above also constitute the Legitimate Interest in the processing.

Storage period

We will delete your data that we have received in the course of contacting you as soon as it is no longer required to achieve the purpose for which it was collected, i.e. your request has been fully processed and no further communication with you is required or desired by you.

Possibility of revocation or objection

If you wish to delete the data relating to your request, you can contact us at any time at data.protection@merlinentertainments.biz. However, we may not be able to process your request in full.

10.1 Provision of the Website

If you use the website for informational purposes only, i.e. if you do not register or otherwise transmit information to us (e.g. via the contact form), we only collect the personal data that your browser transmits to our server.

Type and purpose of processing

When you visit our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure its stability and security:

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• Website from which the request comes
• Browser
• Operating system and its interface
• Language and version of the browser software

The collection of log files is used to log blocked or abusive website access, the security and stability of our website. As a rule, we do not know who is behind an IP address. We do not merge the data listed above with any other data.

Legal Basis

The legal basis is our Legitimate Interest, Art. 6 para. 1 sentence 1 lit. f GDPR. The stated purposes also constitute the Legitimate Interest in data processing within the meaning of Art. 6 (1) sentence 1 (f) GDPR.

Storage period

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is usually the case after one month at the latest.

Possibility of revocation or objection

The collection of this data is technically necessary in order to display our website to you and to ensure its stability and security. Since the collection of data for the provision of the website and the storage in log files are absolutely necessary for the operation of the website and for protection against misuse, our Legitimate Interest in data processing prevails at this point.

10.2 Hosting of the Website

This website is hosted by an external Service Provider. The host will only process your data to the extent necessary to fulfil its performance obligations and follow our instructions with regard to this data.

Type and purpose of processing

The personal data collected on this website is stored on the host’s servers, this may include, but is not limited to, IP addresses, contact requests, meta and communication data, contract data, contact data, names, website accesses and other data generated via the website.

Legal basis

The services of the host is used for the purpose of fulfilling the contract with our potential and existing Customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast, and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR).

If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's end device within the meaning of the TTDSG.

Storage period

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected.

Right of revocation or objection

Once consent has been given, it can be revoked at any time with effect for the future. The lawfulness of the data processing until the revocation remains unaffected.

If you object to data processing that is carried out on the basis of our Legitimate Interest, we will weigh up the conflicting interests. If, after review, your rights and freedoms outweigh our Legitimate Interest in data processing, we will cease data processing.

10.3 Transaction and Payment Service Providers

10.3.1 Accesso

We use the payment software and related services from the Accesso Technology Group, headquartered at 1025 Greenwood Blvd Suite 500 Lake Mary, FL 32746 USA.

Type and purpose of data processing

We use Accesso as part of the sale of our online tickets and annual passes. The personal data collected via German websites is stored in a data centre in the UK. However, remote support can also be provided by US, EU or APAC Service Agents.

The following data can be processed during a transaction via Accesso:

• Surname, first name
• Address
• E-mail address
• Telephone number
• Data of Birth
• Vehicle Registration (for parking bookings)
• IP address
• Payment data
• Currency
• Customer number
• Invoice number

Storage period

The data will be stored until the purpose for which it was collected ceases to exist and will then be deleted, taking into account the statutory retention periods. Receipt and invoice data must be stored for at least 10 years in accordance with § 147 AO, § 257 HGB.

Receiver

• Accesso LLC, USA
• Ingresso Group Ltd (Accesso Europe), Unit 5, The Pavillons, Ruscombe Park, Twyford, Reading RG10 9NN, England, UK

Third-country transfer

The information collected is stored on Accesso's servers, primarily in England. However, a transfer to or access to data from the USA cannot be ruled out. We have concluded a data processing agreement with the Service Provider to secure the data as well as the EU standard contractual clauses. For the USA, there is currently an adequacy decision by the EU Commission, Accesso is certified according to the Data Privacy Framework:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2z3d0000001SZuAAM&status=Active

Legal basis

Data processing is necessary for the performance of a contract to which the Data Subject is a party or for the performance of pre-contractual measures taken at the request of the Data Subject. The legal basis for the processing is therefore Article 6 (1) (b) GDPR.

Objection / Revocation

If and to the extent that the legal requirements are met, you can terminate contracts with us. However, the lawfulness of the data processing up to this point remains unaffected.

10.3.2 PayPal

We offer the possibility to process the payment transaction via the payment Service Provider PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

Type and purpose of processing

We use PayPal to offer you an efficient and secure payment method. As part of the payment process, we pass on data to PayPal insofar as this is necessary for the fulfilment of the contract. These can be:

• Name
• Surname
• Address
• E-mail address
• Telephone number

PayPal reserves the right to carry out a credit report for the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "instalment payment" via PayPal. For this purpose, your payment data may be passed on to credit agencies in accordance with Art. 6 (1) (f) GDPR on the basis of PayPal's Legitimate Interest in determining your solvency. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method. The credit report can contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical procedure. Among other things, but not exclusively, address data is included in the calculation of the score values.

Storage period

Your data will be stored until the payment processing is completed, including the period in which complaints, reclaims, etc. may occur. In accordance with § 147 AO and § 257 HGB, we also have a statutory retention period of 10 years for document data.

Receiver

PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

Third-country transfer

There will be no transfer to a third country.

Legal basis

The legal basis for the data processing described is the performance of the contract with you, Art. 6 (1) sentence 1 (b) GDPR.

Possibility of revocation

Without the transmission of your personal data, we will not be able to make a payment via PayPal. However, there is an option for you to choose a different payment method.

For more information on data protection at PayPal, please visit: https://www.paypal.com/myaccount/privacy/privacyhub

10.3.3 Klarna

We use the payment Service Provider Klarna Bank AB (publ.), Sveavägen 46, 11134 Stockholm, on our website.

Type and purpose of processing

If you choose to pay via Klarna, the payment data you enter will be transmitted to Klarna.

Storage period

Your data will be stored until the payment processing is completed, including the period in which complaints, reclaims, etc. may occur. In accordance with § 147 AO and § 257 HGB, we also have a statutory retention period of 10 years for document data.

Receiver

Klarna Bank AB (publ.). Sveavägen 46, 11134 Stockholm

Third-country transfer

There will be no transfer to a third country.

Legal basis

The legal basis for the data processing described is the performance of the contract with you, Art. 6 (1) sentence 1 (b) GDPR.

Possibility of revocation

Without the submission of your personal data, we will not be able to process a payment via Klarna. However, there is an option for you to choose a different payment method.

For more information on data protection at Klarna, please see https://www.klarna.com/de/datenschutz/.

10.4 Analytics and Tracking Tools

Information about the analysis and tracking tools we use on this website can be found in our Cookie Statement.

10.5 Marketing Tools

Information about the marketing tools we use on this website can be found in our Cookie Statement.

10.6 Content Delivery Networks

10.6.1 Cloudflare

We use Cloudflare on our website to secure our website and improve load times, a service provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA.

Type and purpose of processing

Cloudflare is a content delivery network (CDN). Cloudflare makes copies of our website and places them on its own servers. Therefore, when you visit our website, a load balancing system ensures that the main part of our website is delivered from a server that can show you our website as quickly as possible. In addition to fast website delivery, Cloudflare also offers various security services, such as DDoS protection or the Web Application Firewall. Cloudflare blocks threats and limits abusive bots and crawlers that waste our bandwidth and server resources.

Storage period

Typically, Cloudflare stores the data for less than 24 hours. For enterprise domains that have Cloudflare Logs (formerly called Enterprise LogShare or ELS) enabled, the data can be stored for up to 7 days. When IP addresses trigger security alerts in Cloudflare, the data can be stored for longer.

However, there is also information that Cloudflare stores indefinitely as part of their permanent logs. This is done to improve the overall performance of Cloudflare Resolver and to identify potential security risks. You can find out exactly which permanent logs are stored under https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/. Any data Cloudflare collects (temporary or permanent) will be purged of all personal data. Cloudflare also anonymizes all persistent logs.

Receiver

Cloudflare, Inc.

Third-country transfer

Cloudflare stores data primarily in the United States and the European Economic Area. Cloudflare also works with third-party vendors. However, they may only process personal data as directed by Cloudflare and in accordance with their own privacy policy and other confidentiality and security agreements. A transfer to the USA cannot be ruled out, but there is currently an adequacy decision by the EU Commission for this. Cloudflare, Inc. is certified under the Data Privacy Framework: https://www.dataprivacyframework.gov/list

Legal basis

The legal basis for the data processing described is our Legitimate Interest in securing and effectively providing our website, Art. 6 (1) (f) GDPR.

Possibility of objection

You have the right to object to processing. Whether the objection is successful must be determined in the context of a balancing of interests. It will have to be taken into account that this service is technically necessary for the secure provision of our offer.

To learn more about data protection at Cloudflare, visit https://www.cloudflare.com/de-de/trust-hub/gdpr/.

10.6.2 Amazon (Cloudfront)

We use the Content Delivery Network (CDN) Amazon CloudFront from Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg (AWS).

Type and purpose of processing

We use CDNs such as Amazon Cloudfront to increase the security and delivery speed of our website. A CDN is a network of servers distributed around the world that is able to deliver optimized content to the website user. For this purpose, personal data may be processed in server log files of AWS.

In doing so, AWS collects the following data:

• IP address
• website accessed,
• Referrer URL,
• the browser used
• operating system used.

Receiver

• Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg;
• com, Inc., Seattle WA, USA

Transfer to third countries

AWS is the recipient of your personal data and acts as a processor for us. Since AWS provides servers worldwide as a CDN, a third-country transfer cannot be ruled out. For the USA, there is currently an adequacy decision by the EU Commission. Amazon.com, Inc. is certified under the Data Privacy Framework: https://www.dataprivacyframework.gov/list

AWS has implemented compliance measures for international data transfers. These apply to all global activities where AWS processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, see: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

Storage period

Your personal data will be retained by AWS for as long as necessary for the purposes described. It will then be deleted immediately.

Legal basis

It is in our Legitimate Interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR not to operate a content delivery network ourselves and yet to ensure an effective, modern, and secure provision of our website.

Possibility of objection

You have the right to object to processing. Whether the objection is successful must be determined in the context of a balancing of interests. It will have to be taken into account that this service is technically necessary for the secure provision of our website and offers.

To learn more about AWS 's privacy practices, please visit: https://aws.amazon.com/de/data-protection/.

The current privacy policy of AWS can be found here: https://aws.amazon.com/de/privacy/ and here in German translation: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf

For more information on how to object and remedy AWS, please visit: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf

10.7 Customer Support

10.7.1 Zendesk

We use the Customer service software Zendesk, Inc., 989 Market St, San Francisco, USA.

Type and purpose of processing

Zendesk is a cloud-based Customer support platform that enables website owners to aggregate Customer interaction from all channels such as phone, email, chat, and social media.

Storage period

The data processed through Zendesk will be stored until your Customer service request is completed and then until the expiry of the general limitation period (3 years).

Receiver

Zendesk, Inc., 989 Market St, San Francisco, USA.

Third-country transfer

Zendesk also processes personal data in the United States. For the USA, there is currently an adequacy decision by the EU Commission. Zendesk, Inc. is certified under the Data Privacy Framework: https://www.dataprivacyframework.gov/list

In addition, Zendesk uses the EU Commission's Standard Contractual Clauses to secure personal data in third countries.

Legal basis

The legal basis for Zendesk's processing of your data is your consent.

Possibility of revocation

You can object to the processing of your data by Zendesk at any time with effect for the future. However, we may not be able to process your Customer enquiries (further) in this case. If you wish to object to the data processing described above, please contact data.protection@merlinentertainments.biz.

10.8 Content from Third-Parties

10.8.1 Facebook, Instagram and X (Twitter)

We integrate third-party content such as Facebook, Instagram and Twitter on our websites.

Type and purpose of processing

Some content includes the ability to view external content from these third parties. Such embedded third-party content is also known as social embeds.

To protect your data, we block the display of external content via our consent tool. If you would like to display the external content, you have the option of giving your consent to the transfer of data via our Consent Management Tool and having the content displayed by clicking on it or refraining from displaying the external content.

Third-country transfer

The aforementioned providers also process data outside the EU/EEA, especially in the USA. For the USA, there is currently an adequacy decision by the EU Commission. Meta Platforms, Inc. is certified under the Data Privacy Framework: https://www.dataprivacyframework.gov/list

In addition, data is transmitted in a pseudonymous form. As far as possible, we have concluded the EU Standard Contractual Clauses with the providers and have taken additional technical protection measures.

Legal basis

Data collection and storage is only carried out with explicit consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

Possibility of revocation

You can revoke your consent at any time with effect for the future via our Consent Management Tool and changing your selection there. The lawfulness of the data processing up to the time of revocation remains unaffected.

10.8.2 YouTube

We use the YouTube service to embed videos on the site. The provider is Google Ireland Limited Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

Type and purpose of processing

Subject to your consent, the video content will be loaded from Google's servers. In doing so, data, e.g. Your IP address is transmitted to Google - which lets Google know that you have watched the video. If you are logged in to YouTube, this information will also be assigned to your user account. This can be prevented by logging out of YouTube before viewing the video.

The following data may be collected and processed via YouTube:

• IP Address
• Referrer URL
• Device Information
• Watched videos

Storage period

The personal data will be kept for as long as it is necessary to fulfil the purpose of the processing.

Receiver

In addition to Google Ireland Limited, the data may be transmitted to the following recipients as part of the processing:

Google LLC.

Alphabet Inc.

Transfer to third countries

A transfer of data to the USA and access by US authorities to the data stored by Google cannot be ruled out. For the USA, there is currently an adequacy decision by the EU Commission. Google LLC is certified under the Data Privacy Framework: https://www.dataprivacyframework.gov/list

Insofar as data is processed outside the EU/EEA, we have also concluded the standard contractual clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the Service Provider in order to establish a secure level of data protection, which allow the transfer of personal data to a third country in individual cases.

Legal basis

The legal basis for the processing is your consent.

Possibility of revocation

If you do not want YouTube to collect and process the aforementioned data, you can refuse your consent or revoke it at any time with effect for the future via our Consent Management Tool. The lawfulness of the data processing until the revocation remains unaffected.

10.9 Other Third-Party Providers

10.9.1 Queue-it

On this website we use the services of Queue-it ApS, Skelbækgade 2-4, 1717 Copenhagen V, Denmark.

Purpose of the processing

Queue-it is a developer of virtual waiting rooms to control website and app traffic peaks. Queue-it enables us as an online ticket seller to protect our ticket system from slowdowns and crashes during peak times by distributing the load across multiple data centres during such peak times. Visitors are temporarily redirected to a virtual waiting room and informed of their waiting time in real time. Your current IP address is processed in the process.

Receiver

Queue-it Aps

Storage duration

The lifespan of the Queue IT cookie is 365 days.

Legal basis

The legal basis for the described data processing is our Legitimate Interest in the security and effective provision of our website, Art. 6 para. 1 lit. f GDPR.

Possibility of objection

You have the right to object to the processing. To do so, please contact the Data Protection Team or the Data Protection Officer as indicated in section 2. Whether the objection is successful must be determined as part of a balancing of interests. It will have to be taken into account that this service is technically necessary for the secure provision of our offer.

You can find Queue-it's privacy policy at: https://queue-it.com/privacy-policy/

10.9.2 hCaptcha

We use hCaptcha, an anti-spam service from Intuition Machines Inc, 350 Alabama St, San Francisco, USA.

Nature and purpose of processing

The purpose of hCaptcha is to check whether data is entered on our website (e.g. in a contact form) by a human or by an automated program (bot). For this purpose, hCaptcha analyzes the behavior of the website visitor based on various characteristics.

hCaptcha provides website visitors with image puzzles, among other things. However, you can also use an invisible captcha. If the tool was unable to collect enough user data, users have to solve an additional picture puzzle. For this purpose, hCaptcha analyses various information (IP address, time spent by the visitor on the website or mouse movements made by the user, data retrievals). The data collected during the analysis is sent to the Service Provider. If hCaptcha is used in "invisible mode", the analyses run in the background; users of the website are then not informed that an analysis is taking place.

hCaptcha also uses cookies for the purpose of analysis. These store a pseudonymous but unique identifier for each user. This identifier enables hCaptcha to recognize users on all websites that use hCaptcha. hCaptcha also stores the usage data specified above.

Receiver

Intuition Machines Inc, 350 Alabama St, San Francisco, USA.

Third country transfer

Intuition Machines Inc. processes personal data in the USA. There is currently an adequacy decision by the EU Commission for the USA. We have concluded the standard contractual clauses of the EU Commission with the provider in order to guarantee data security and an appropriate level of data protection. These are included as standard in the data processing addendum to the provider's General Terms and Conditions.

Legal basis

The legal basis for the described data processing is our Legitimate Interest in the security and effective provision of our website, Art. 6 para. 1 lit. f GDPR.

Possibility of objection

You have the right to object to the processing. Whether the objection is successful must be determined as part of a balancing of interests. It will have to be taken into account that this service is technically necessary for the secure provision of our offer.

10.9.3 Facebook Connect

We use Facebook Connect on our website, a service provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, a subsidiary of Meta Platforms, Inc, 1601 S California Ave, Palo Alto, California 94304, USA ("Facebook").

Nature and purpose of processing

Facebook Connect is designed to make it easier for you to register for services on the internet and speed up the registration process. A Facebook account is a prerequisite for use. This allows you to register and log in to our website via your Facebook account in order to use our services.

When you register via Facebook, Facebook will ask for your consent to share certain data in your Facebook account with us. This may include your first name, last name and email address to verify your identity, general location, a link to your Facebook profile, your time zone, your date of birth, your profile picture, your likes and your friends list. This data is collected by Facebook and processed and transmitted to us in accordance with Facebook's privacy policy https://de-de.facebook.com/privacy/policy/. You can control the information we receive from Facebook via the privacy settings in your Facebook account.

The data is used by us to set up, provide and personalize your Customer account. If you register with us via Facebook, your Customer account is automatically linked to your Facebook account and Facebook can track information about your activities on our websites. If applicable, activities on our websites are shared on Facebook and published in your chronicle and news display for friends.

Receiver

• Meta Platforms Inc.
• Meta Platforms Ireland Limited

Third country transfer

Facebook also processes personal data in the USA. There is currently an adequacy decision by the EU Commission for the USA. Meta Platforms, Inc. is certified in accordance with the Data Privacy Framework: https://www.dataprivacyframework.gov/list

Legal basis

The legal basis for the processing of your personal data in connection with Facebook Connect is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.

Possibility of revocation

Once you have given your consent, you can withdraw it at any time with effect for the future via our Consent Management Tool, by changing your selection there. The legality of the data processing until the revocation remains unaffected.

You can prevent the processing of the above information by Facebook by using our account registration form and not using Facebook Connect.

Customer: means a person who purchases, has purchased or will purchase tickets for an attraction, who uses the Merlin website, goods and services, or who participates in a Merlin competition or event.

Data Controller: means a natural or legal person who determines the means and purposes of the Data Processing.

Data Subject: means a person whose personal data is concerned.

EEA: means the European Economic Area.

GDPR: means the EU's General Data Protection Regulation, which comes into force on 25 May 2018 and replaces the previous Data Protection Directive 95/46/EC.

Legitimate Interests: means grounds that organisations may provide as a lawful basis for their actions, for example where personal data is used in a way that can reasonably be expected or there is an overriding reason for the processing.

Member States: means countries that are members of the European Union.

Profiling: means the analysis of your personal data for the purpose of evaluating your behaviour or to be able to predict certain things about you that may be relevant to you in the context of an entertainment context, for example how likely it is that you will attend a particular event of ours.

Special Categories of personal data: means personal data relating to health, genetic and biometric data, criminal record, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.

Service Providers: means third parties to whom we entrust some functions of our business. For example, we engage Service Providers to provide and maintain our IT applications and systems located in 'clouds', i.e. your personal data is stored on their servers, but is under our control and management. We require all our Service Providers to maintain confidentiality about this personal data and its security.