Übersicht über die Datenschutzbestimmungen und -verpflichtung

At Gardaland S.r.l. (“we”, “us”, “our”) we may collect and use the personal data of people visiting our attractions and hotels, registering to our Applications or browsing our websites (“Website”). Personal data means information that identifies, whether directly or indirectly, a particular individual. Protecting your personal data is of great importance to us. We are aware of the responsibilities we have in managing your personal data, in keeping it safe and handling it in accordance with applicable law.

The purpose of this privacy policy (“Policy”) is to provide a clear explanation of when, why and how we collect and use personal data. The Policy has been designed to be simple and easy to consult. Sections have been subdivided and titled to make it easy for you to find the information you are looking for.

Please read this Policy carefully. It provides important information on how we use personal data and explains what your rights are with reference to such data. This Policy does not affect the terms of any contract you have entered with us (for example, terms and conditions for Wi-Fi or the annual pass).

We can modify this Policy in order to keep it up to date with new regulatory interventions regarding privacy or the changes we can make in personal data processing. In such cases, we will make sure you are aware of any significant change by sending a message to the most recent e-mail address provided by you, or by posting a notice on the Web Site. We invite you to regularly check and review this Policy so you are always aware of what information we collect, how we use it and with whom we share it.

 

INDICE:

  1. WHO is the data controller?
  2. WHAT data do we collect?
  3. WHEN do we collect your personal data?
  4. For what PURPOSES do we collect your personal data?
  5. What are the LEGAL GROUNDS for data processing?
  6. WHO do we communicate your data to?
  7. Do we TRANSFER your personal data outside the European Union?
  8. How do we process your personal data?
  9. How LONG do we keep your personal data?
  10. WHAT are your rights?
  11. Contacts and complaints

 

 

1. Who is the data controller?

Gardaland S.r.l. is an Italian family entertainment company, with registered office in Via Derna, 4 - 37014 Castelnuovo del Garda (Verona), Italy (“Controller” or “Gardaland”) which can be contacted at the following e-mail address: protezione.dati@gardaland.it.

Gardaland is part of the Merlin Entertainment group that manages over 100 attractions and over 20 hotels and holiday villages in 25 countries worldwide. A complete list of our attractions and a note from the companies that make up the group is available at ("Merlin Group"). The purpose of our business is to create unique, memorable and rewarding experiences for our visitors.

 

2. WHAT data do we collect?

Through this Policy, Gardaland wish to inform potential customers, current customers, visitors of its amusement parks, attractions, hotels, users of our Application "Gardaland Resort Official App" ("App") and those who visit the Website ("Users") of how it processes their personal data.

We collect the following data from our Users:

  • Identifying and contact information provided by filling out forms on the pages of our Website. We may also ask you for information when you report a problem with our Website.
  • Information about your experience in our parks and your level of satisfaction with our attractions.
  • Details of transactions you made through our Website and related to making reservations, including your credit/debit card details.
  • Details of your visits to our Website, including but not limited to: data traffic, location data, web logs and other communication data, necessary or otherwise for our billing purposes, and the resources you access.
  • Through our App, information relating to: Location, accuracy and date/time periodically throughout the day (only while at the attraction), Each visit to the resort including date/time first seen and last seen, Operating system, Operating system version, Device name, Battery level, Battery status (charging or not), Bluetooth status (on or off), Mobile network carrier name, Currently connected Wi-Fi SSID, Location permission status (on or off), IP address, User's preferred locale, Current time zone, App version and build number, App version and build number, App version and build number.

The information collected includes contact details such as your name, address, date of birth, phone number, e-mail address, health data (such as information about your disability or your family's disability, if and when communicated to us and subject to your explicit prior consent). This may also include data collected from children.

The information also relates to the history of your purchases, including those made through the Website and your visits to the amusement park and those relating to attractions and your commercial preferences.

Le informazioni relative alla navigazione comprendono l'indirizzo IP e i dettagli sulla tua cronologia di navigazione, il tipo di browser, la frequenza delle sessioni e le informazioni raccolte tramite i cookie. Per ulteriori dettagli sui cookie, per favore vedi la nostra informativa sui cookie separata www.gardaland.it/en/footer/cookies/.

 

3. WHEN do we collect your personal data?

We will collect information directly from you when (1) you sign up on our Website, (2) download and register to our App (3) subscribe to our services, (4) sign up for the newsletter, (5) purchase tickets or passes for the amusement park or attractions, (6) you make a phone reservation, (7) you use Wi-Fi at one or more of our attractions, (8) you book a hotel room at one of our hotels, (9) you complete one of our questionnaires or (10) you contact us for information.

We will also collect information about you indirectly from a member of your family or from a third party when booking a family ticket (family package) or when a parent takes part in a competition on behalf of his/her child.

We will not knowingly collect any personal data regarding children for commercial purposes without making it clear that such information must be provided only with the consent of the parents, if required by law. Gardaland will only use the personal data of children within the limits of and in compliance with the law and when consent from the parents or guardians has been obtained.

 

4. For what PURPOSES do we collect your personal data?

We will use your personal data for the following purposes:

a. to create an account and sign you up, if required, on the Website pages;
b. download and register to our App
c. to use the services and products available through the Website, including the possibility to make hotel and attraction reservations at the park, purchasing park tickets, signing up to participate in competitions (“Services”);
d. to receive assistance and information regarding our Services

(the purposes defined in points a) to d) above are jointly defined as "Contractual Purposes");

e. to comply with any and all legal and regulatory obligations (hereinafter referred to as “Regulatory Purposes");
f. to defend or enforce the rights of Gardaland in court or out of court
g. carry out activities regarding the company and/or its lines of business, acquisitions, mergers, demergers or other transformations and for the execution of such operations

(the purposes outlined in points e) and g) above are jointly defined as the “Purposes of Legitimate Interest");

With your prior consent, we will use your personal data for the following purposes:

h. to conduct market surveys and surveys to improve your experience in our amusement park;
i. to send you newsletters and commercial communications by any means (including e-mail, SMS, phone calls or mail) relating to our products and services (e.g. invitations to special events, special offers, promotions of new products and services) or to products and services of the Merlin Group companies;

(the purposes outlined in letters h) and i) are jointly defined as "Marketing Purposes";

If you have consented to the Marketing Purposes, to send you without your explicit consent, newsletters and communications relating to our products and personalised services based on non-invasive categories of membership, such as the frequency of access to amusement parks and the type of purchases carried out (“Purposes of Legitimate Marketing Interest”).

With your prior consent, the data concerning your health status and, in particular, your disability or that of your family members in order to provide you the assistance and pass necessary to access and use our Services ("Access Purposes").

 

5. What are the LEGAL GROUNDS for data processing?

We must establish a legal basis to use your personal data in order to ensure that the use of your personal information is in line with the purposes for which it was collected.

The processing of your personal data for Contractual and Regulatory Purposes is mandatory as it is necessary to successfully sign you up to the Website and to use our Services, as well as to comply with the applicable legislation. If you decide not to provide us with your personal data for the aforementioned purposes, you will not be able to use our Services.

The processing of your data for Marketing Purposes is optional and based on your consent, which can be revoked at any time. In the event that you decide not to give your consent, Gardaland will not be able to keep you updated on new services, promotions or offers or to carry out marketing surveys and send communications or other information material relevant to your preferences.

The processing of personal data for the Purposes of Legitimate Marketing Interest and of Legitimate Business Interests are used for the legitimate interest of Gardaland adequately balanced with your interests in light of the limits imposed on such treatment and are not mandatory. You can object to the processing carried out for these purposes as indicated in section 11 of this Policy without prejudice to the prevailing interest of Gardaland to continue the processing and, except cases in which processing is required, to exercise or defend the rights of Gardaland in court.

The processing for Access Purposes is based on your consent and can be revoked at any time. However, processing is necessary to allow access and use of certain Services and failure to give consent will make it impossible for Gardaland to grant access to these Services.

You can revoke your consent or oppose the processing of your personal data as indicated in section 11 of the Policy.

 

6. WHO do we communicate your data to?

Furthermore, for the Purposes referred to in section 4, we communicate the data to third parties to better help us manage our activities and provide services. These third parties may from time to time have access to your personal data and include:

  • Service providers who help us manage our IT and back office systems and assist us in Customer Relationship Management, in particular MagNews, BestUnion, Facebook, TravelClick, Sale Cycle and Zucchetti;
  • Our supervisory authorities, which may include the Italian Data Protection Authority as well as other control bodies and law enforcement agencies in the EU and around the world;
    • Law firms and other professional services firms (including our auditors).

Gardaland S.r.l. has appointed as external data processors, among others, Best Union, Diennea, Lakeweb, Monkey Survey, Olojin, TravelClick, Ananai, Promogrifo, Idea Ward, Medianet, Zucchetti, Peschiera Viaggi, Flixbus, Trenord, Parco Acquatico Cavour, Parco Natura Viva, Parco Giardino Sigurtà, Alpitour, Eden Viaggi, Veratour, Gruppo Sinergia SRL, Poste Italiane S.P.A. and TUAT.

A complete list of external data processors can be requested from the e-mail address provided in section 11.

7. Do we TRANSFER your personal data outside the European Union?

Your personal data will not be transferred outside the European Union.

8. How do we process your personal data?

Your personal data is processed by electronic and non-electronic means for the time strictly necessary for the purposes for which it was collected. Gardaland adopts suitable technical and organisational measures to prevent losses, illegal or incorrect use of data or unauthorised access. Gardaland takes suitable measures to secure personal data collected, including limiting the number of people who can access our database servers and install electronic security systems that protect against unauthorized access.

 

9. How LONG do we keep your personal data?

We will store your personal data for the time necessary to pursue the purposes indicated in section 4 of the Policy.

Specifically:

  • the data collected for the Contractual Purposes are kept for the entire duration of the Contract (e.g. existence of your account on the Website, the registration to our App and/or the provision of Services), plus a maximum of 10 years from the expiration of the Contract term;
  • the data collected for Regulatory Purposes are kept for a period equal to the predetermined duration for each type of data outlined by current law;
  • the data collected for the purpose of Legitimate Business Interests are kept for a maximum period of 10 years from date of collection;
  • the data collected for Marketing Purposes, and for the Purposes of Legitimate Marketing Interest are kept for a period of 2 years from date of collection;
  • data collected for Access Purposes are kept for a maximum period of 10 years from date of collection.

At the end of the storage period for each purpose, your personal data will be deleted or rendered anonymous and aggregated.

10. What are your rights?

You have a number of rights in relation to your personal data. Essentially, you have the right to request: access to your data; the rectification of any mistake in our files; the erasure of records when no longer required; the restriction of the processing of your data; objection to the processing of your data; the data portability and various information in relation to any automated decision making and profiling for international transfers. You also have the right to complain to your supervisory authorities (further details of which are defined in Section 11 below).

They are detailed as follows:

RIGHT

WHAT DOES THAT MEAN?

Access

By sending an e-mail to protezione.dati@gardaland.it, you can ask us to:

  • Confirm that we are processing your personal data;
  • Give you a copy of the data;

Provide you with other information about your personal data such as the data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out automated decision making or profiling (to the extent that such information has not already been provided to you in this Policy).

Rectification

By sending an e-mail to: protezione.dati@gardaland.it, you can ask us to correct inaccurate personal data.

We may verify the accuracy of the data before correcting it.

Erasure/Right to be forgotten

By visiting this page you can ask us to delete your personal data, but only where:

  • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where data processing was based on consent); or
  • it follows a successful right to objection (see "Objection" below); or
  • it has been unlawfully processed;
  • it is necessary to comply with a legal obligation to which Gardaland is subject to.

We are not required to comply with your request to delete your personal data if the processing of your personal data is necessary to comply with a legal obligation or for the protection, exercise or defence of rights in court, for public archiving purposes, scientific interest or for reasons of historical research or statistical purposes.

We will keep track of requests for consent withdraw to ensure that you do not receive any further communication.

Restriction

By sending an e-mail to: protezione.dati@gardaland.it, you can ask us to restrict (e.g. keep but not use) the use of your personal data only where:

  • its accuracy is disputed (see “Rectification”), to allow us to verify their accuracy; or
  • the process is deemed to be unlawful but you do not want it deleted; or
  • it is no longer necessary for the purposes for which it was collected for, but we still need them to establish, exercise or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.

We may continue to use your personal data following a request for restriction where:

  • we have your consent; or
  • to establish, exercise or defend legal claims; or

to protect the rights of another natural or legal person.

Portability

By sending an e-mail to protezione.dati@gardaland.it, you can ask us to provide you with your personal data in a structured, commonly used, machine-readable, or you can ask to have it “transmitted" directly to another data controller, but only when the processing is based on your consent or the performance of a contract with you and the treatment is carried out by automatically.

Objection

By sending an e-mail to: protezione.dati@gardaland.it, you can object to any processing of your personal data that has our "Legitimate Interests" as its legal basis (see Appendix 2 for more details) if you believe that your fundamental rights and your freedoms outweigh our Legitimate Interests. Upon making your objection, we have the opportunity to prove that we have stringent Legitimate Interests that override your rights, however this does not apply as long as the objections relate to the use of personal data for direct marketing purposes.

 

You can exercise the rights mentioned above through the instructions set out in Section 11 below. Please take note of the following should you wish to exercise these rights:

  • Identity. We take the confidentiality of all records containing personal data very seriously and we reserve the right to ask you for proof of your identity if you make a request.
  • We will not charge you a fee to exercise your rights in relation to your personal data unless your request to access your information is groundless, repetitive or excessive. In such case we will charge a reasonable fee.
  • Periods of time. We aim to respond to every valid request within a month, unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if your request is going to take more than a month. We might ask you if you could help us by telling us exactly what you wish to receive or what you are specifically concerned with. This will help us process your request faster.
  • Local laws, including those in Italy, provide additional exemptions - in particular the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.

11. Contacts and complaints

Our Data Protection Officer is the main point of contact for any problem that should arise regarding this Policy, including requests to exercise data subject rights. The Data Protection Officer can be contacted at the following address: protezione.dati@gardaland.it.

If you have a complaint or problem about how we use your personal information, please contact us in the first instance and we will try to resolve the issue as soon as possible. You also have the right to file a complaint with your national data protection supervisory authority at any time. In Italy, the data supervisory authority is the Garante per la protezione dei dati personali (http://www.garanteprivacy.it/). We would kindly ask that you to try to resolve any problem you may have with us first, although you have a right to contact your supervisory authority at any time.

 

APPENDIX 1 - LEGAL BASIS FOR PROCESSING

Activities

Type of information collected

The basis on which we use information

Providing services

  • Contact details and Engagement details
  • Performance of a contract

Providing User support

  • Contact details, Engagement details and Device data
  • Performance of a contract

Marketing

  • Contact details, Marketing preferences
  • Consent

Light Profiling

  • Contact details
  • Age group, the opening of received newsletters, the type of purchases made effettuati
  • Legitimate Interest

Follow legal and regulatory obligations

  • Contact details and Engagement details
  • Legal obligations

 

 

APPENDIX 2 - GLOSSARY

Users: means potential and current customers, visitors of the amusement park, attractions, hotels and anyone visiting the Website.

Data controller: means Gardaland

Data Subject: means the natural person relating to the personal data being processed (e.g. current customer, potential customer, visitor of the amusement park, Website user)

European Union: means the geographical area in which the data can be freely transferred.

GDPR: means the General Data Protection Regulation, no. 679 of 2016 entered into force on 25 May 2018 which replaces the previous Data Protection Directive 95/46/EC.

Supervisory Authority: the Data Protection Authority for the protection of personal data called to monitor compliance with the legislation on the protection of personal data within the Italian territory.

Legitimate Interest: legal basis for data processing pursuant to art. 6, point f) of the GDPR.

Member States: means those countries which are part of the European Union.

Privacy Shield: means a framework which has been adopted to protect the rights of those individuals whose data has been transferred to the US.

Profiling: means to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an entertainment context, such as how likely you are to attend a certain event that we host

Special data categories: personal data that indicate racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership as well as genetic and biometric data intended to uniquely identify an individual and data related to health or sex life and one’s sexual orientation.

Service providers: means third parties to whom we outsource certain functions of our business. For example, we have service providers who provide/support “cloud based” IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.

 

Back to top