As Data Controller, Gardaland S.r.l. collects and uses the personal data of anyone who purchases and uses a season pass for the Park.
We therefore intend to provide clear and accessible information about the purposes, collection and use of personal data, in compliance with the European data protection regulation 679/2016 (GDPR) and the applicable national law (in particular Legislative Decree 196/2003, “Privacy Code” as amended by Legislative Decree 101/2018), also specifying the rights that may be exercised by data subjects.
Data Controller and contact details
GARDALAND S.r.l., with registered office at Via Derna, 4, 37014 Castelnuovo del Garda (VR), is the Data Controller of your personal data (hereinafter referred to as “Gardaland” or “Data Controller”).
The Data Controller has designated a Data Protection Officer (DPO), whom you may contact at any time by email on: email@example.com.
In the case of season passes offered by Gardaland, your personal data will only be processed for the purpose of issuing the season pass, unless you expressly agree to any other use of your data (see the purposes indicated by point 3). The season pass cannot be issued if you do not provide the personal data requested in the purchase form.
The purposes of processing of your personal data for the purchase and issue of the season pass are the following:
- to allow the purchase, issue and use of the season pass for access to the park;
- for administrative/accounting purposes;
- to send commercial messages through newsletters and text messages, even by classifying users by country of origin;
- to protect the company assets, security and safety, and company organization; specifically, for the purpose of processing the photograph image of the data subject on the season pass in order to check the correct and non-fraudulent use of the pass.
- to allow browsing on website, improving the quality of services already provided. Guarantee the stability of the system, and security of data and activity. Ensure the correctness of web transactions, in compliance with the anti-fraud law. For the purposes listed in this section, aggregate data are also collected for internal performance evaluation.
Data processed and processing methods
Personal data are processed, also with the help of automated means, by the Data Controller and by Data Processors duly appointed for the correct fulfilment of the stated purposes via electronic means and paper records, as well as with the use of security measures to guarantee the confidentiality of personal data and to prevent undue access to data by unauthorised parties.
Personal data are collected according to different legal bases applicable to each processing purpose:
- signing a contract (Art. 6, par. 1, (b) GDPR) in order to purchase the pass for access to the park;
- regulatory obligations of the Controller (Art. 6, par. 1, (c) GDPR) for administrative/accounting purposes;
- consent (Art. 6, par. 1, (a) GDPR) for commercial and marketing purposes, such as sending newsletters and text messages as indicated by point 3 of the paragraph “Purposes”;
- legitimate interest of the Data Controller (Art. 6, par. 1, (f) GDPR) for the purposes indicated by points 4 and 5 of the paragraph “Purposes”.
The data subject may in any case ask the Data Controller to clarify the actual legal basis of each type of processing and, in particular, to specify whether said processing is based on the law, or is provided by contract or a legitimate interest.
The data subject may obtain further information about the legitimate interest pursued by the Data Controller at any time or withdraw its consent by contacting the Data Controller on e-mail address: firstname.lastname@example.org.
In general, data are retained by the data controller for the period required to perform the above purpose(s).
In particular, the data collected to issue the season pass and to pursue the legitimate interests of the Controller are retained for 10 years, while the data collected for administrative/accounting purposes are retained for the time indicated by the applicable regulations.
As regards the purposes specified by point 3, for which the data subject’s express consent is required, data are retained for as long as the system detects any activity by the data subject or until such time as the consent given is withdrawn.
At the end of the above periods and once the above purposes have been fulfilled, the user’s personal data will, as a rule, be deleted or anonymized; personal data may however be retained for a longer period of time only when this is required by law or with the consent of the data subject.
Recipients and transfer
The data are processed at the operating offices of the Data Controller and in any other place where the parties involved in the processing are located.
The data collected and processed will not be disseminated, but may be disclosed solely for the above purposes to other companies and entities of the Merlin group, even those located abroad in or outside the EU. The level of data protection in non-EU countries may differ from the level of protection within the European Union. In the case in question, said transfer is made on the basis of Art. 49 (b) of the GDPR.
The accounting/tax data may be disclosed to duly appointed external parties who carry out activities on behalf of the Data Controller such as, but not limited to: chartered accountants, credit institutions and related external professionals. The data in question may be transferred to IT partners selected to provide services related to the contract, who will guarantee the same level of technical and organizational protection guaranteed by the Data Controller.
It is always possible to ask the Data Controller for an updated list of external Data Processors.
Rights of the data subject:
The data subject has the right to request from the Data Controller access to and rectification or erasure of his/her personal data or restriction of processing concerning the data subject or to object to processing, in addition to the right to request data portability, as provided for by Articles 15-21 of the GDPR. The request can be made by email, fax or registered letter, specifying in the request the right that the data subject wishes to exercise (erasure, rectification, portability, right to be forgotten), together with a valid email address/certified email address where the reply can be sent. The Data Controller or any person appointed by the Data Controller will process the request within 30 days from date of receipt. For complex replies, response times may be extended to an additional 30 days, following prompt communication to the data subject. Should the data subject deem it appropriate to enforce his/her rights, he/she may lodge a complaint to the competent supervisory authority, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), with office in Piazza Venezia 11, Rome.
Requests and communication or notice to withdraw consent to data processing should be sent by email to the following address: email@example.com.
Last update: 23rd September 2022