PRIVACY POLICY IN ACCORDANCE WITH ARTICLE 13 OF EU REGULATION 679/2016

This is to inform you about the processing of your personal data in relation to the use of the "Gardaland Resort" Application ("App" or "Application"). The processing is carried out in accordance with the criteria set forth in the European Data Protection Regulation, EU Reg. 2016/679 ("GDPR"). According to the aforementioned legislation, the processing must be based on the principles of fairness, lawfulness and transparency and the protection of your confidentiality and rights. 

Gardaland S.r.l. provides the services to the user ("User") according to the Terms and Conditions of Use and to this Privacy Policy. By using the App, the user will be able to create his or her own profile, allowing him or her to take advantage of the services offered by the App.  

The Privacy Policy is provided only for the Gardaland Resort App owned by the company Gardaland S.r.l., and not for other websites that may be consulted by the user through links present within the App. 

Gardaland may modify this Policy in order to keep it up to date with new regulatory interventions regarding privacy or any changes that may be made in personal data processing. The Privacy Policy should therefore be read regularly, in order to keep up to date with the type of data Gardaland collects, and how said data are used and shared. 

 

DATA CONTROLLER

The Data Controller with regard to the services provided by the Gardaland Resort App is the company Gardaland S.r.l. ("Controller" or "Gardaland"), VAT No. 05431170967, in the person of the current legal representative, with registered office in Via Derna 4, 37014 Castelnuovo del Garda (VR).

JOINT CONTROLLERSHIP

Gardaland acts as a Joint Controller of your personal data with Merlin Attractions Operations Ltd (MAOL), a company with registered office located at Link House, 25 West Street, Poole, Dorset, England, BH15 1LD in the cases specified in the “General Information” section under the paragraph “JOINT CONTROLLERSHIP”.

PRIVACY CONTACT DETAILS

For any privacy-related inquiries, Gardaland can be reached at the following email address: data.protection@merlinentertainments.biz.

MAOL can also be contacted via the same email address.

Gardaland has appointed its own Data Protection Officer (DPO), who can also be contacted at the email address data.protection@merlinentertainments.biz. 

Similarly, MAOL has appointed its own DPO, who can also be reached at the same email address provided above.

All personal data will be collected, processed and used by Gardaland, or by any Joint Controllers, in compliance with the applicable data protection provisions. 

 

DATA SUBJECTS 

The data subjects potentially involved in the processing of personal data by  the Data Controller (or Joint Controllers, where applicable)for the purposes and processing activities referred to in the following sections are the users of the App. 

 

TYPE OF DATA PROCESSED 

Certain personal data will be collected via the App, namely first name, last name, e-mail address and geolocation, pop-up notifications and ticket data.  

The provision of such data is optional for the User. Users are therefore free to refrain from communicating such data, without this having any consequence on the availability of the service or its operation. 

Unless otherwise specified, any use of Cookies - or other tracking tools - is for the purpose of providing the service requested by the user, in addition to the further purposes described in this document and in the Cookie Policy.  

For operation and security purposes, this App and any third party services used by it may collect System Logs, i.e., files that record interactions and may also contain personal data, such as the user's IP address, as well as information relating to: location, accuracy and date/time at periodic intervals during the day (only when present within the Park), each visit to the Resort, including start and end date/time, operating system, operating system version, device model, battery level, battery status (charging or not), Bluetooth status (on or off), mobile phone operator, assigned SSID for Wi-Fi connection, location permission status (on or off), IP address, default language, time zone, App version and build number, App interactions (detected as events and transferred to firebase analytics and keen IO), date/time of entry/exit from a particular geo-referenced area (in case of entering a previously geo-referenced area). 

 

PURPOSE OF PROCESSING AND LEGAL BASIS  

Personal data are collected for the following purposes and processed according to the specific legal bases: 

  1. a) we shall process personal data in order to enable the User to use the services, in accordance with what accepted in the Terms and Conditions of Use. The legal basis is the performance of pre-contractual measures and the Terms and Conditions of Use accepted pursuant to Article 6(1)(b) GDPR. The nature of the provision is mandatory, otherwise the service will not be provided;  
  2. b) for the Joint Controllers to send newsletters and commercial messages related to products and services offered by Gardaland and by other Merlin Group companies, also by classifying users by country of origin , as well as for the Controller to send communications on the status of queues within the park through the use of push notifications directly on the device. The legal basis is the consent freely given by the user to the Joint Controllers and to the Controller respectively, in accordance with Article 6(1)(a) GDPR. The provision of data is optional; the absence of such consent does not affect the ability to use this App;  
  3. c) to fulfil a legal obligation to which the Data Controller is subject under Article 6(1)(c) GDPR; 
  4. d) to ensure the security of the App or the use of the services, for the violation of the Terms and Conditions of Use as well as the prevention of any unlawful use of the App. The legal basis is the legitimate interest of the Data Controller pursuant to Article 6(1)(f) GDPR. In this regard, the user's personal data may be used in court or in the previous stages for the defence against abuse in the use of the App or related services by the user.

 

PROCESSING METHODS AND INFORMATION SECURITY 

The Data Controller, or the Joint Controllers, where applicable, take appropriate security measures to prevent unauthorised access, disclosure, modification or destruction of personal data. The processing is carried out by means of computer and/or IT tools, with organisational methods and logics strictly related to the indicated purposes.  

 

PLACE OF PROCESSING 

The data are processed at the operating offices of the Data Controller (or of the Joint Controllers, where applicable) and in any other place where the parties involved in the processing are located. In any case, the processing of personal data will take place within the European Economic Area.  

 

DATA RECIPIENTS AND TRANSFER 

In some cases, other parties involved in the management of this App or external parties (such as developers or maintainers of the database, hosting providers, IT companies) appointed as Data Processors or persons authorised to process data by the Controller (or by the Joint Controllers, where applicable) for the provision of the service may have access to the data. We may eventually share some information with law enforcement or judicial authorities.  

The data collected and processed will not be disseminated, but may be disclosed solely for the above purposes to other companies and entities of the Merlin group, even those located abroad in or outside the EU. The level of data protection in non-EU countries may differ from the level of protection within the European Union. In the case in question, said transfer is made on the basis of Article 49(b) of the GDPR.  

 

STORAGE TIMES 

Data are processed and stored for the time required by the purposes for which they were collected. Traffic data will be stored in a pseudonymised manner in order to ensure the security of the App and the prevention of unlawful acts, as per the legitimate interest of the Data Controller.   

At the end of the retention period, Personal Data will be automatically deleted. Therefore, upon the expiry of this period, the right of access, erasure, rectification and the right to Data portability can no longer be exercised. 

The data collected for marketing purposes by the Joint Controllers under letter b) of the paragraph "Purposes of the processing and legal bases" will be retained until the consent freely given by the data subject is revoked, and in any case no longer than 24 months after it has been provided. 

 

RIGHTS OF THE DATA SUBJECT 

In relation to the processing of his or her personal data, the data subject has the opportunity to exercise certain rights (Articles 15-22 of the GDPR).   

Specifically, the GDPR confers the right to access, rectify or erase personal data, restrict or oppose processing, and portability. 

Where processing is based on consent, the data subject has the right to withdraw consent to the processing of his or her personal data at any time, without prejudice to the lawfulness of the processing based on the consent given before such withdrawal.  

The data subject also has the right to lodge a complaint with the supervisory authority, which is the Italian Data Protection Authority, based in Rome at Piazza Venezia 11, or take the matter to the competent judicial authority.  

For the exercise of these rights, , the data subject may send a registered letter with return receipt to Gardaland S.r.l., Via Derna 4, 37014 Castelnuovo del Garda (VR), or send an email to: protezione.dati@gardaland.it

Buy Tickets Only

Book HOTEL + TICKETS:

1 Check in & Check out
2 Guests
2
Adults
1
Kids
Age
or
Buy Tickets Only
Health