1 INTRODUCTION
1.1 Purpose
This Data Governance Policy (the “Policy”) establishes and describes the rules that govern the Processing of Personal Information by or on behalf of La Ronde (“La Ronde”), an affiliate of Six Flags Entertainment Corporation (“Six Flags”). This Policy is designed to assist La Ronde in complying with its legal and regulatory obligations regarding privacy and data protection, and describes the responsibilities of Staff Members when handling Personal Information for or on behalf of La Ronde.
It is the responsibility of each La Ronde employee, contractor, consultant, director and officer (collectively, “Staff Members”) to understand and comply with this Policy. Failure to comply with this Policy may result in disciplinary action, up to and including termination for employees, and possible contract termination or legal action for contractors and consultants.
1.2 Scope and Applicability
This Policy applies to all La Ronde business units, departments and operations and encompasses all activities that involve the Processing of Personal Information. It covers both digital and physical data formats and applies to all Personal Information Processed by La Ronde, regardless of the geographic location of the Individuals. This includes Personal Information of customers, job applicants, and Staff Members.
1.3 Related Policies
This Policy makes reference to, and should be read together with, the following related Six Flags policies and procedures:
- Six Flags Information Services Department Security Policies, which includes among other things:
- Six Flags Data Retention Policy and Data Disposal Procedures
- Six Flags Security Awareness and Acceptable Use Policy
- Six Flags Business Continuity and Disaster Recovery Plan
- Six Flags Incident Response Plan
- Six Flags Vendor Risk Management Policy
- Six Flags Records Retention Schedule
1.4 Definitions
For the purposes of this Policy, the following definitions, when they appear with their initial letter in capital letters, will have the meanings indicated below:
- “Applicable Law” means all international, national, federal, state, provincial and local laws, rules, regulations, directives, governmental and regulatory requirements and guidance currently in effect and as they become effective, that relate in any way to privacy, data protection, confidentiality, information security or breach notification as applicable to La Ronde, including, but not limited to, the federal Personal Information Protection and Electronic Documents Act and substantially similar provincial laws including, but not limited to, Québec’s Act respecting the protection of personal information in the private sector.
- “Individual” means the individual (i.e., natural person) to whom the Personal Information relates.
- “Personal Information” means any information, whether stored in digital or physical form, that relates to an identified or identifiable individual. This includes, but is not limited to, information such as name, address, telephone number, date of birth, email address, nationality and age.
- “Privacy Regulator” means any governmental or regulatory body charged with overseeing and enforcing compliance with Applicable Law in its respective jurisdiction. In Canada, this includes the Office of the Privacy Commissioner of Canada and other relevant federal and provincial regulators, including, but not limited, to the Commission d’accès à l’information du Québec.
- “Privacy Impact Assessment” or “PIA” means a structured process for identifying, assessing and mitigating privacy-related risks arising from or associated with a specific project or initiative involving the Processing of Personal Information.
- “Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Security Incident” means any incident that threatens the confidentiality, integrity or availability of Personal Information or otherwise compromises the confidentiality or security of the information, including loss of, unauthorized access to, or unauthorized use or disclosure of Personal Information, or any other breach of the protection of such information.
1.5 Roles and Responsibilities
1.5.1 Privacy Officer
La Ronde has designated a Privacy Officer who is responsible for overseeing La Ronde’s compliance with this Policy and Applicable Law. The duties and responsibilities of the individual designated as Privacy Officer include:
- Ensuring that the Processing of Personal Information by La Ronde complies with internal policies and Applicable Law;
- Providing guidance on conducting Privacy Impact Assessments, including identifying privacy risks and recommending mitigation strategies;
- Overseeing the Security Incident response process, including advising on required notices, and ensuring all actions are documented in accordance with internal policies and Applicable Law;
- Responding to Individual rights requests and complaints related to Personal Information in accordance with Applicable Law;
- Periodically reviewing and, as appropriate, update this Policy and related policies and practices to reflect evolving legal and industry standards;
- Developing and implementing privacy training for Staff Members to promote a culture of privacy compliance and raise awareness about La Ronde’ compliance efforts;
- As otherwise provided in this Policy.
The Privacy Officer may delegate these duties and responsibilities to qualified personnel within the organization, as appropriate. Any such delegations will be formally documented.
The title and contact information of the Privacy Officer will be publicly posted on the La Ronde website. This information will be kept up-to-date to reflect any changes in the appointment of the Privacy Officer.
2 KEY PRINCIPLES FOR PROCESSING PERSONAL INFORMATION
The following principles apply to all Processing of Personal Information:
2.1 Accountability. La Ronde is responsible for Personal Information (including that held by a third party on La Ronde’s behalf, in accordance with the Six Flags Vendor Risk Management Policy). La Ronde implements policies and procedures to ensure its protection.
2.2 Classification and Access Control. La Ronde shall ensure that Processing of Personal Information is appropriately controlled and assigned risk / sensitivity categories. Access to Personal Information is restricted to Staff Members who need to know the information to fulfil their role within the company, as set out in the Six Flags Information Services Department Security Policies.
2.3 Safety measures. La Ronde shall take appropriate administrative, technical and physical security measures to protect Personal Information throughout its lifecycle. Such measures shall be reasonable in light of the sensitivity of the information, the purpose for which it is to be Processed, its quantity, distribution and medium. These measures are set out in the Six Flags Information Services Department Security Policies, the Six Flags Incident Response Policy, the Six Flags Data Retention Policy and Data Disposal Procedures, and Records Retention Schedule and Section 8 of this Policy.
2.4 Determining the purpose of collection. La Ronde identifies the purposes for which it collects Personal Information before collecting it.
2.5 Consent. La Ronde informs individuals of the collection of their Personal Information and obtains their consent to its Processing, including customers and Staff Members, unless it chooses to rely on an exception provided by applicable laws.
2.6 Limitation on Collection. La Ronde only collects Personal Information that is necessary for the purposes previously identified. Personal Information should only be collected by fair and lawful means.
2.7 Limitation on Processing and Retention. La Ronde limits the Processing of Personal Information to purposes to which the individual has consented or to purposes consistent with those purposes, unless otherwise permitted by law. It retains Personal Information only as long as necessary to fulfill the identified purposes, as further set out in Section 8 of this Policy and the Six Flags Data Retention Policy and Data Retention Procedures, and Records Retention Schedule.
2.8 Accuracy. La Ronde ensures that the Personal Information it holds is up-to-date, accurate and complete for as long as it is Processed, as far as is reasonably possible.
2.9 Transparency. La Ronde makes its policies and procedures concerning the management of Personal Information available to its Staff Members. It also makes information on its Personal Information practices available to the general public, including in the form of a privacy policy published on its website.
2.10 Access to Personal Information. La Ronde informs any Individual who so requests of the existence of Personal Information concerning him or her, of the use made of it and of the fact that it has been communicated to third parties. It allows any Individual to consult or obtain a copy of his or her Personal Information and to have it rectified, where applicable, subject to the exceptions provided by the laws applicable to its activities, as further set out in Section 6 of this Policy. La Ronde will respond promptly to any such requests.
2.11 Possibility of lodging a complaint. An individual shall be able to address complaints regarding La Ronde’s protection of his or her Personal Information, as further set out in Section 6 of this Policy. La Ronde will respond promptly to any such complaints.
3 VENDOR RISK MANAGEMENT
La Ronde may transfer Personal Information to a vendor, supplier, consultant, contractor or service provider (collectively, a “Vendor”) for Processing on its behalf, provided that La Ronde and the Vendor enter into a data processing / data protection agreement adequate for compliance with Applicable Laws. This agreement must contain, at minimum, contractual assurances that (i) set out the measures the Vendor will take to protect the confidentiality of the personal information, (ii) the personal information is used only for providing the services set out in the contract, (iii) the Vendor does not keep the information after the expiry of the contract, (iv) the Vendor will not transfer Personal Information outside Quebec without La Ronde’s prior written consent, (v) the Vendor will provide La Ronde with reasonable means to monitor and audit its security measures and compliance with its data protection obligations, and (vi) in the event of a security incident, the vendor is responsible for promptly notifying Six Flags regarding incident details, recovery and remediation.
La Ronde is subject to the Six Flags Vendor Risk Management Policy that defines the framework and guidelines for managing risks associated with Vendors, including conducting third-party due diligence and ensuring compliance with La Ronde’ information security requirements and Applicable Law. Staff Members involved in the selection, management and monitoring of Vendors on behalf of La Ronde are responsible for complying with both this Section 3 and the Six Flags Vendor Risk Management Policy and related procedures.
4 CROSS-BORDER DATA TRANSFERS
4.1 General Requirements for Cross-Border Transfers
If Personal Information is accessed, stored or transferred outside of the Quebec, La Ronde will inform affected Individuals of this possibility and will ensure that the Personal Information is adequately protected while being Processed in other jurisdictions.
4.2 Impact Assessments for Cross-Border Transfers
La Ronde will conduct a transfer impact assessment prior to any disclosure of Personal Information outside of Québec. The purpose of the transfer impact assessment is to determine whether the information will be adequately protected while in another jurisdiction, taking into account certain criteria, including, at a minimum: (i) the sensitivity of the information; (ii) the purposes for which it will be used; (iii) the security measures (contractual or otherwise) that will be applied; and (iv) the legal framework of the country, province, state, or region to which the information will be transferred, including the privacy rights and protections afforded to individuals under local laws and regulations.
Unless the information must be disclosed to a third party due to the urgency of a situation that threatens the life, health or safety of the Individual, La Ronde may proceed with the disclosure only if the following conditions are met:
- The assessment concludes that the Personal Information will receive adequate protection, in particular in light of generally recognized data protection principles; and
- The parties enter into a written agreement that takes into account the results of the assessment and the agreed upon remedial measures.
The Privacy Officer is responsible for establishing and maintaining procedures for conducting transfer impact assessments under this Policy. Staff Members responsible for managing relationships with Vendors or other third parties shall promptly inform the Privacy Officer of any disclosure of Personal Information and shall follow the instructions of the Privacy Officer as to how to proceed.
5 PRIVACY IMPACT ASSESSMENTS
5.1 General Requirements
La Ronde must conduct a PIA when acquiring, developing or overhauling an information system or electronic service delivery system that involves the Processing of Personal Information. All PIAs take must into account all relevant factors surrounding the project, including, but not limited to: (i) the sensitivity of the Personal Information; (ii) the amount of Personal Information Processed; (iii) the categories of Individuals affected; (iv) the purposes for which the information will be used; and (v) the means used to process the information.
5.2 Conducting a Privacy Impact Assessment
The PIA process will include, at a minimum, the following components:
- Description of the nature, scope, purposes and context of the project and related Processing operations;
- Assessment of the necessity, effectiveness, proportionality and minimal intrusiveness of the Processing operations in relation to the purposes;
- Assessment of the risks to the privacy rights or interests of the Individuals; and
- Description of the measures envisaged to address the risks.
5.3 Responsibility and Oversight
The Privacy Officer, with the assistance of relevant La Ronde or Six Flags departments, will oversee the PIA process. The Privacy Officer will ensure that PIAs are conducted in accordance with this Policy and Applicable Law, and will provide guidance and support throughout the process, including with respect to identifying privacy risks and recommending mitigation strategies.
6 PROCEDURES FOR HANDLING INDIVIDUAL RIGHTS REQUESTS
6.1 Types of Individual Rights Requests
Individuals who are Quebec residents have the right to exercise some or all of the following rights with respect to their Personal Information:
- Confirmation of the existence of Processing: This right allows the Individual to request and receive confirmation as to whether La Ronde collects, stores, discloses or carries out any type of Processing with the Individual’s Personal Information.
- Access to Personal Information: This right allows the Individual to request and receive a copy of their Personal Information held by La Ronde.
- Rectification of incomplete, inaccurate or outdated data: This right allows the Individual to request the rectification of their Personal Information if it is found to be inaccurate, incomplete or not up to date.
- Withdrawing or not providing consent: To the extent that consent is required to Process the Individual’s Personal Information, this right allows the Individual to withdraw or refuse consent and to be informed of the consequences of such withdrawal or refusal.
- Data portability: The Individual has the right to receive a copy of their Personal Information in a structured, commonly used technological format or, upon request, to instruct La Ronde to disclose the information in such format to a third party authorized by law to collect the Personal Information. Note: This right applies only to computerized Personal Information collected from the Individual and excludes any information created or inferred using Personal Information, and is coming into force only in September 2024.
- Complaints regarding information handling practices: The Individual has the right to file a complaint with La Ronde regarding its information handling practices and compliance with Applicable Law.
6.2 Mechanisms for Request Fulfillment
If a Staff Member receives an individual rights request directly from an Individual, the Staff Member will work with the Guest Relations team to handle it accordingly or will promptly forward the request to the Privacy Officer and, other than providing an acknowledgement of receipt, should refrain from responding to the request unless otherwise directed by the Privacy Officer. The Guest Relations team is responsible for responding to these requests within 30 days and in a manner and format that complies with internal policies and procedures and Applicable Law.
If a Staff Member wishes to exercise their individual rights with respect to Personal Information held about them in their capacity as Staff Member, they must contact their supervisor or the Human Resources Department. If the Staff Member is not satisfied with the response, the Staff Member must submit a written request to the Privacy Officer, who will handle the request in accordance with established internal policies and procedures and Applicable Law.
7 PROCEDURES FOR HANDLING LAW ENFORCEMENT, COURT AND GOVERNMENT REQUESTS
Staff Members must promptly notify the Privacy Officer if La Ronde receives requests from law enforcement, courts or government authorities for Personal Information in its custody or control, or inquiries from Privacy Regulators regarding La Ronde’s information handling practices. Staff Members should not respond directly to such requests or inquiries unless specifically directed to do so by the Privacy Officer or senior management.
Upon notification, the Privacy Officer will promptly notify and coordinate with Six Flags General Counsel to determine the appropriate course of action. The response may include providing the requested information, seeking clarification or further legal advice, or challenging the request if it is deemed overly broad or in conflict with legal or regulatory requirements.
8 RETENTION AND DISPOSAL OF PERSONAL INFORMATION
La Ronde will retain Personal Information only for as long as necessary to fulfill the purposes for which it was originally collected or lawfully used, unless a longer retention period is permitted or required by law, such as to comply with legal or regulatory requirements or to meet legitimate business needs. When Personal Information is no longer needed for its intended purpose and is not otherwise required to be retained by law, it will be securely destroyed, erased or anonymized (so that it no longer allows the Individual to be identified, either alone or in combination with other information) in accordance with La Ronde’s internal policies and Applicable Law.
La Ronde has established a Data Retention Policy and Data Disposal Procedures and a Records Retention Schedule that detail the specific retention periods for various categories of records and outline the procedures for its secure disposal. Staff Members are responsible for familiarizing themselves with these documents and complying with the retention periods and disposal procedures outlined therein.
9 CONFIDENTIALITY AND INFORMATION SECURITY
La Ronde is committed to maintaining the confidentiality, integrity and availability of Personal Information in its custody or control and employs appropriate physical, technical and organizational measures to protect Personal Information from loss, theft and unauthorized access, disclosure, copying, use or modification.
Six Flags has implemented various policies, standards and controls that address its information security requirements and describe how Staff Members are expected to handle Personal Information and interact with Six Flags and La Ronde systems, networks and facilities that contain such information. The key policies are set out in Section 1.3 of this Policy.
10 SECURITY INCIDENT RESPONSE
La Ronde will investigate and document all known or suspected Security Incidents in accordance with the Six Flags Incident Response Plan and any other relevant internal policies and procedures.
The Privacy Officer must be consulted in assessing the scope, impact and magnitude of a Security Incident, including determining when such an incident should be reported to external authorities, such as law enforcement or Privacy Regulators, or to affected Individuals. The Privacy Officer is also responsible for maintaining appropriate records related to the Security Incident in accordance with La Ronde’ internal policies and procedures and Applicable Law.
11 TRAINING AND AWARENESS
La Ronde will develop and implement a privacy and training program to promote compliance with this Policy and to foster a culture of data protection and security awareness within its organization. This program will include providing training on this Policy and related confidentiality and security obligations to all Staff Members who have access to Personal Information.
12 COMPLIANCE MONITORING AND AUDITING
La Ronde will develop and implement a compliance monitoring and auditing program to verify compliance with this Policy and related policies, procedures and standards. This program will include conducting audits of business processes and procedures that involve the Processing of Personal Information and, to the extent that an audit reveals non-compliance with this Policy, developing and executing an appropriate remediation plan in a timely manner. The Privacy Officer will oversee the audit process and seek assistance from other departments within La Ronde as necessary.
13 PERIODIC REVIEW AND CHANGES TO THIS POLICY
This Privacy Policy will be periodically reviewed and updated to ensure its continued relevance and effectiveness in light of changing legal, technological and business environments. The Privacy Officer, with the assistance of other relevant departments within La Ronde, will be responsible for initiating these reviews.
14 CONTACT DETAILS
If you have any questions or concerns regarding this Policy, please contact the Privacy Officer via email: Kathleen Gadd [email protected]
- Scope of This Policy
- Your Consent
- Our Terms of Use
- Your Choices
- Location Data
- Information We Collect
- Information About Third-Party Cookies
- How We Use Your Information
- How We Share Your Information
- How We Protect Your Information
- Employment Applications
- A Note About Children’s Privacy
- Links To Other Websites
- Access to Your Information
- Website Hosting Location
- California Privacy Rights
- Governing Law
- This Policy May Change
- Questions About This policy
Scope of This Policy
Six Flags collects certain information about or related to you through this Site. Some of the information Six Flags collects may be “personal information”—information that identifies you personally, alone or in combination with other information available to us. Six Flags has provided this Privacy Policy so that you will know what information Six Flags collects, how Six Flags uses this information, the types of third parties with whom Six Flags may share this information, and some of the choices that are available to you. On occasion, Six Flags may offer special programs, activities, events or promotions (collectively, “Special Programs”) that have additional terms, privacy notices and/or consent forms that explain how any personal information you provide will be processed in connection with that program. We recommend you review the terms applicable to those programs before participating.Your Consent
By using this Site, you are consenting to the collection, use, disclosure, and transfer of your information as described in this Policy.Our Terms of Use
This Policy is part of the Terms of Use that govern your use of this Site. A link to our Terms of Use is provided at the bottom of each page of this Site.Your Choices
In General. We respect your right to make choices about the ways we collect, use, and disclose your information. This Policy describes some of your choices, such as your choice to opt out of receiving “cookies.” We may ask you to indicate your choices at the time and on the page where you provide your information. Do Not Track Mechanisms. California law requires this Policy to address how we respond to any “Do-Not-Track (‘DNT’) signal” delivered by your browser. Because of the changing state of technology and indecision within the industry regarding the meaning of DNT signals, we currently do not make any guarantee that we will honor DNT signals. Previously Expressed Preferences. You may change previously expressed preferences regarding how we use your information. For example, you can opt out of promotional emails we send to you by selecting the “unsubscribe” link located at the bottom of each communication. To change other preferences, please contact us using the information provided below.Location Data
When you download the App, we may ask your permission to track your precise, real-time location. If you consent, we may track your location even when you are not using the App. You may change your location-tracking preferences at any time through the settings on your device or through the settings section in the App. Such location-tracking services may be erroneous, inaccurate, incomplete or time-delayed.Information We Collect
Information You Manually Provide. Six Flags collects the information you manually provide (using your keyboard, mouse, touchpad, or screen) when you use this Site. For example, we collect the information you provide when you communicate with us, purchase tickets, register for a sweepstakes, or otherwise interact with this Site. Some of the information you manually provide may be personal information, such as your name, contact information, photographs, comments, or other content you submit to our Site. Information From Third-Party Social Media Platforms. You may be able to register with, log on to, or enhance your profile on this Site by choosing to automatically populate the requested data fields with information you previously provided to a third-party social media platform (such as Facebook or Twitter). By doing this, you are asking the third-party platform to send us information, including personal information, from your profile on that platform. We treat that information as we do any other information you give to us when you register, log on, or enhance your profile. Information from your browser or device. Six Flags collects information that is sent to us automatically by your web browser or mobile device. This information typically includes your IP address, the name of your operating system, the name and version of your browser, the date and time of your visit, and the pages you visit. The information we receive may depend on your browser or device settings. The information we receive from your web browser and device is not, in and of itself, personally identifiable. Generally, we use this information in the aggregate to help us improve this Site and make it more compatible with the technology used by our visitors. However, we may combine it with other information in an attempt to identify you or we may combine it with information that does identify you. We may also review our server logs for security purposes—for example, to detect intrusions into our network—and we might share our server logs, which contain visitors’ IP addresses, with the appropriate investigative authorities who could use that information to trace and identify you. Employment Information. Six Flags collects information about employment applicants as further described in the “Employment Applications” section below. Information Collected by Cookies and Other Technologies. We use “cookies” and other technologies to collect information and support certain features of this Site. For example, we may use these technologies to:- collect information about the ways visitors use this Site—which pages you visit, which links you use, and how long you stay on each page;
- support the features and functionality of this Site—for example, to save you the trouble of reentering information already in our database or to prompt the settings you established on previous visits;
- personalize your experience when you use this Site; and
- improve our marketing efforts, including through use of targeted advertising.
Information About Third-Party Cookies
In addition to the cookies Six Flags delivers to your computer or mobile device through this Site, certain third parties may deliver cookies to you for a variety of reasons. For example, we use Google Analytics, a web analytics tool that helps us understand how visitors engage with our Sites. To learn more about Google Analytics, click here. Other third parties may deliver cookies to your computer or mobile device for the purpose of tracking your online behaviors over time and across nonaffiliated websites and/or delivering targeted advertisements either on this Site or on other websites. You have choices about the collection of information by third parties on our Sites. For example, if you don’t want information about your visit to this Site sent to Google Analytics, you may download an Opt-out Browser Add-on by clicking here. Please note that the Add-on does not prevent information from being sent to Six Flags. In addition, if you would like to opt-out of having interest-based information collected by certain entities during your visits to this Site or other websites, please click here. You will be directed to an industry-developed website that contains mechanisms for choosing whether each listed entity may collect and use data for online behavioral advertising purposes. It may be that some of the third parties that collect interest-based information on this Site do not participate in the industry-developed opt-out website, in which case the best way to avoid third-party tracking of your online behaviors may be through your browser settings and deletion of cookies.How We Use Your Information
Generally, we use the information we collect through this Site:- to provide the information, products and services you request;
- to provide you with effective customer service;
- to provide you with a personalized experience when you use this Site;
- to contact you with information and notices related to your use of this Site;
- to contact you with special offers and other information we believe will be of interest to you (in accordance with any privacy preferences you have expressed to us);
- to invite you to participate in surveys and provide Feedback to us (in accordance with any privacy preferences you have expressed to us);
- to improve the content, functionality and usability of this Site;
- to better understand your needs and interests;
- to improve our products and services;
- to improve our marketing and promotional efforts;
- to process employment applications, as further described in the “Employment Applications” section below
- for security, credit or fraud prevention purposes; and
- for any other purpose identified in an applicable Privacy Notice, click-through agreement or other agreement between you and us.