The UK General Data Protection Regulation (UK GDPR) is the primary data protection legislation and it requires organisations to inform individuals about how they collect and use their personal data. Personal data is any information that can identify an individual, either directly or indirectly.
The purpose of this ‘privacy policy’ is to provide a clear explanation of this. We have designed it to be as user friendly as possible, and have labelled sections to make it easy for you to find the information that is most relevant to you. It is important to us that we comply with our data protection obligations and keep your personal data secure.
Who we are
Blackpool Tower is operated by Blackpool Tourism Limited and our registered office address is Blackpool Tourism Limited, Number One, Bickerstaffe Square, Talbot Road, Blackpool, FY1 3AH.
Blackpool Tourism Limited is a wholly owned company of Blackpool Council, which operates a number of visitor attractions in Blackpool.
Blackpool Tourism Limited is the ‘data controller’ for the purpose of compliance with the UK GDPR and our registration reference with the Information Commissioner’s Office (ICO) is ZA321446.
Why we process your personal data (and our legal basis)
Bookings
We collect and process your personal data to enable us to manage bookings and deliver services to you at our attractions; this includes communicating with you on the same.
As part of the booking process, you may be required to make a payment, at which point we are required to process your credit/debit card details.
You may choose to provide us feedback about your visit to help us improve our attractions and services.
The UK GDPR lawful basis for these processing activities is called ‘performance of a contract.’
If you wish to apply for a Disability Access Card, you will need to provide additional special category data to enable us to confirm your entitlement to this and the UK GDPR lawful basis for this processing is ‘consent’. To facilitate this process we use a third party organisation called Nimbus Disability.
Security and Health & Safety
We operate CCTV at our attractions for the safety of guests, staff and also for the security of our premises. In the unlikely event of an incident or accident, we are required to keep records of the same, which may contain your personal data.
The UK GDPR lawful basis for our use of CCTV is called ‘legitimate interests’ and in relation to meeting our Health & Safety requirements it is called ‘legal obligation’.
Marketing
We provide marketing communications to inform guests about news and offers regarding our attractions or services. To ensure these reach the correct audience, we may target/profile these based on your booking history or preferences.
Guests also have the opportunity to subscribe to our newsletter and/or take part in competitions.
To comply with our obligations under the Privacy and Electronic Communications Regulations (PECR) you have to ‘opt in’ to receive marketing communications and you can opt out at any point by selecting this on a marketing communication or you can contact the Company’s Data Protection Officer, whose contact details are below. The UK GDPR lawful basis for this processing is ‘consent.’
At some attractions, a third party called Events Photo Team operate cameras on selected rides, this uses facial recognition technology to provide guests with the opportunity to purchase the correct photograph(s) from your visit. Events Photo Team act as their own ‘data controller’ for the purpose of compliance with the UK GDPR.
Website
We use cookies to monitor interaction between guests and our website, and to ensure content on our website is presented to you in the most effective manner. At certain venues we offer Wifi for our guests and this requires us to obtain some basic personal data to enable guests to access the Wifi.
The UK GDPR lawful basis for this processing is called ‘legitimate interests’.
Legal and Regulatory Obligations
On occasion, we may have to provide personal data of guests to comply with lawful requests by law enforcement agencies, requests from regulatory bodies or a court order. For example, these requests may include, but are not limited to the Police, HMRC, Department for Work and Pensions (DWP), Information Commissioner’s Office (ICO), Health and Safety Executive and Blackpool Council’s Public Protection Service.
The UK GDPR lawful basis for this processing is called ‘legal obligation’.
What personal data do we process
We collect the following data categories to enable us to meet the above purposes:
· Bookings – this may include your name, postal address, telephone number and email address. Guest feedback is likely to contain the same, but also any additional information you wish to include as part of your feedback.
· Disabled Access Registration ID Card - this contains the information described above that is required for a booking, but also special category data as proof of disability. This may include but is not limited to a letter from a Doctor, DVLA or DWP.
· Payment – this may include bank name, bank address, account number, sort code, security code and card expiration date.
· CCTV images - Events Photo Team collect images and biometric data (facial recognition) as outlined above.
· Incident and Accident logs - name, postal address, telephone number, email address, Date Of Birth, details of any injuries, health data and description of incident.
· Marketing Communications - this may include your name, email address, booking history and marketing preferences.
Who we share your personal data with
To enable us to effectively operate attractions and offer services at these attractions, we use a selection of trusted partners, which include:
· Merlin Attractions Operations Limited [HA1] and Accesso Technology Group plc (who act as our processors) – who currently provide ticketing and customer relationship management solutions until 1st Dec 2025.[HA2]
· Ayden [HA3] (who act as our processor) – who are our card payment providers.
· Insurance Providers and Solicitors (who act as our processor) - in the event of a claim.
· Blackpool Council (who act as our processor) - who provide a number of back office functions such as data protection, internal audit and IT.
· Edison (who act as a processor) – to support our marketing activities.
· Xeinadin Audit Limited – who act as our external auditors.
· Police (who are an independent data controller) - for the purpose of the prevention or detection of crime.
· Nimbus Disability (who arean independent data controller) – provide disability access cards.
· Facebook, Instagram and TikTok are the social media platforms we use for marketing.
Before we engage with any partners, we ensure we have assurance that they will keep our guests personal data secure and comply with obligations under data protection legislation.
Retention
We do not keep personal data for longer than is necessary, the retention length is dependent on the purpose and the lawful basis for processing.
In particular, where there has been no interaction from a guest (e.g. a purchase, email, newsletter sign up), a record will be archived after 1 year and deleted after 3 years.
If you have any queries on the retention of personal data this information can be obtained from the Company’s Data Protection Officer, whose details are below.
Complaints and Individual Rights
If you are not happy with how we have handled your personal information, please give us the opportunity to resolve this with you.
The best way to do this is to contact our Company’s Data Protection Officer; this is Jonathan Pickup, who can be contacted at the Company’s registered office or by email at dataprotectionofficer@blackpool.gov.uk.
Alternatively, if we cannot resolve your complaint, you can refer it directly to the Information Commissioner (ICO) who is the regulator for data protection in the UK and their contact details are available at www.ico.org.uk.
The UK GDPR affords individuals a number of rights that include:
· Right of access - to receive a copy of your personal data and other supplementary information.
· Right to rectification - to have inaccurate personal data rectified or completed if it is incomplete.
· Right to erasure - to have personal data erased.
· Right to restrict processing - to request the restriction or suppression of your personal data.
· Right to data portability - to obtain and reuse your personal data for your own purposes across different services.
· Right to object - to object to the processing of your personal data in certain circumstances.
· Rights related to automated decision-making including profiling.
Not all rights are automatic and are dependent on the lawful basis for processing, if you wish to exercise any of the above rights, please contact the Company’s Data Protection Officer.
International Transfers
We do not transfer your personal data outside the UK or European Economic Area (EEA). All personal data processing activities are conducted within jurisdictions that uphold high standards of data protection, as defined by GDPR.
