Skip to main content

Privacy Policy pursuant to Article 13 of Regulation (EU) 2016-679

Dear Customer,

we hereby inform you that your personal data is processed by our company. Data processing is carried out in compliance with the criteria set out in European General Data Protection Regulation 2016/679/EU (hereinafter GDPR). According to the aforementioned legislation, the processing must be based on the principles of fairness, lawfulness and transparency and the protection of your confidentiality and rights.

Controller: the Data Controller is Gardaland S.r.l., in the person of its pro tempore legal representative, with registered office in Castelnuovo del Garda (VR).
The Data Controller has designated a Data Protection Officer (DPO). You can contact the Data Protection Officer by email at any time at the following address:

Legal basis, purpose and storage period:
The personal data processed by the Data Controller, and necessary for subscription, are: Name, Surname, Email, Date of Birth, Country of Residence and ID photo. The additional data requested, such as the mobile number, are optional and only necessary for the pursuit of purposes for which explicit consent is required.

Personal data are collected for the following purposes and according to the specific legal bases:
1.    Issue of the season pass for access to the park, for which the legal basis is performance of the contract (Article 6(1)(b) of the GDPR). Your data will be stored for 10 years from the time of subscription;
2.    Administrative/accounting purposes for which the legal basis is compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR). Your data will be stored for the time indicated by applicable regulations;
3.    Sending commercial communications in the form of newsletters and text messages, also through categorisation deriving from the country of origin, for which consent is required (Article 6(1)(a) of the GDPR). Your data will be stored until your withdrawal of consent;
4.    Protection of company assets, security and safety, and company organisation, for which the legal basis is legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR), specifically regarding the processing of the image on the season pass in order to check the correct and non-fraudulent use of the pass.  Your data will be stored for the time strictly necessary to fulfil the purpose stated.

For the purposes referred to in points 1, 2, and 4, the provision of data is mandatory and failure to provide said data will prevent you from completing the purchase and using the requested season pass.
For the purpose referred to in point 3, the provision of data is optional and in the event of failure to provide them, the Data Controller may not proceed for this specific purpose without obtaining your prior and explicit consent.
After the end of the storage period, your data will be processed for statistical and strategic guidance purposes exclusively in aggregate, which makes it impossible to re-identify the user.
However, it is always possible to ask the Data Controller to clarify the concrete legal basis of each act of processing and, in particular, to specify whether the processing is based on law, provided for by contract or legitimate interest.
You can obtain further information about the legitimate interest pursued by the Data Controller at any time or withdraw your consent by contacting the Data Controller at

Data Processing Methods: Personal data are processed, also with the help of automated means, by the Data Controller and by Data Processors duly appointed for the correct fulfilment of the stated purposes via electronic means and paper records, as well as with the use of security measures to guarantee the confidentiality of personal data and to avoid undue access to unauthorised parties.

Disclosure: The Data are processed at the operating offices of the Data Controller and in any other place where the parties involved in the processing are located.
The accounting/tax data may be disclosed to duly appointed external parties who carry out activities on behalf of the Data Controller such as, but not limited to: chartered accountants, credit institutions and related external professionals. The data involved may be transferred to IT partners chosen to provide services related to the contract, who will guarantee the same level of technical and organisational protection guaranteed by the Data Controller. Disclosure to non-EU countries is not envisaged, nor is public disclosure (e.g. social networks, websites, etc.).
It is always possible to ask the Data Controller for an updated list of external Data Processors.

Rights of the data subject: The data subject has the right to request from the Data Controller access to and rectification or erasure of his/her personal data or restriction of processing concerning the data subject or to object to processing, in addition to the right to request data portability, as provided for by Articles 15-21 of the GDPR. The request can be made by email, fax or registered letter, specifying in the request the right that the data subject wishes to exercise (erasure, rectification, portability, right to be forgotten), together with a valid email address/certified email address where the reply can be sent. The Data Controller or any person appointed by the Data Controller, will process the request within 30 days from date of receipt. For complex replies, response times may be extended to an additional 30 days, following prompt communication to the data subject. Should the data subject deem it appropriate to enforce his/her rights, he/she may lodge a complaint to the competent supervisory authority, the Italian Data Protection Authority, with office in Piazza Venezia 11, Rome.

For any request, communication or to withdraw your consent to data processing, you can send an email to the following address: