Security Statement and Policy and Commitments to Privacy

DATA CONTROLLER AND CONTACT DETAILS 

GARDALAND S.r.l., subject to the management and coordination of the Merlin Entertainments Limited Group, with registered office at Via Derna, 4, 37014 Castelnuovo del Garda (VR), is the Data Controller of your personal data (hereinafter referred to as “Gardaland” or “Data Controller”). 

The contact for privacy issues is the e-mail address: protezione.dati@gardaland.it. Gardaland has also appointed its own Data Protection Officer (DPO) who can also be contacted at the email address protezione.dati@gardaland.it. 

All personal data will be collected, processed and used by Gardaland in compliance with the applicable data protection provisions. 

DATA SUBJECTS 

Below is a list of the data subjects potentially involved in the processing of personal data by Gardaland for the purposes and processing activities referred to in the following sections:  

• Customers/potential customers 
• Web users 
• Social media users 
• App users
• Candidates/potential candidates 
• Suppliers/business partners 
• Employees 

TYPE OF DATA PROCESSED 

 In general, the categories of personal data subject to processing are as follows: 

• Identification data (acquired both directly and indirectly), including images recorded by the video surveillance system and/or in the various attractions within the Park. 
• Contact details. 
• Tax/financial data in connection with transactions made through the Website and the e-commerce site relating to bookings and purchases. 
• Website browsing data including IP address and browsing history details, type of browser used, location data, frequency of visit sessions and information collected via cookies as set out in the specific information notice at https://www.gardaland.it/sicurezza-privacy/politica-sui-cookies/. 
• Data relating to the use of and access to the Applications "Gardaland Resort" and "Gardaland Express" (hereinafter referred to as "App" for convenience). 
• Booking and accommodation data at Gardaland Hotels. 
• Registration plate numbers of customers' cars using the car park.
• Preferences expressed during the use of the services offered e.g. regarding the experience within the parks and the level of enjoyment of the attractions.
• Data provided under the Whistleblowing Procedure.

PURPOSE 

Personal data relating to data subjects acquired by Gardaland are processed for the purposes indicated within each specific information notice below.  

Here is a summary and non-exhaustive list of the purposes of processing: 

Contractual Purposes 

1. creation and registration of an account, where required within the pages of the Web Site, including the e-commerce site;
2. downloading and registration of Apps;
3. use of services and products, such as, by way of example, the purchase of tickets, extra services, season passes and Gardaland Club for access to the Parks, bookings of stays at hotels, attractions at the park and any refreshment points, participation to prize events (hereinafter, for the sake of convenience, the "Services");
4. receiving assistance and information regarding our Services;

Legal Purposes 

1. complying with any legal and regulatory obligations, including the provisions of Legislative Decree No. 24/2023 (the so-called "Whistleblowing Decree") implementing Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law and laying down provisions concerning the protection of persons who report national laws breaches; 

Legitimate Interest Purposes 

1. defending or enforcing the rights of Gardaland in court or out of court and guarantee the correct company management, including through internal policies and procedures implementation;
2. carrying out activities regarding the company and/or its lines of business, acquisitions, mergers, demergers or other transformations and for the execution of such operations;
3. to allow browsing on website, improving the quality of services already provided. Guarantee the stability of the system, and security of data and activity. Ensure the correctness of web transactions, in compliance with the anti-fraud law. For the purposes listed in this section, aggregate data are also collected for internal performance evaluation;
4. for the purpose of protecting persons, property and assets of the company through a video surveillance system of certain areas of the facility, identifiable by the presence of appropriate signs, in order to protect persons and assets against any aggression, theft, robbery, damage, vandalism and for the purpose of fire prevention and work safety; 
5. activating and managing the Whistleblowing Procedure: this includes verifying the facts that are the subject of the report, initiating the investigation, preparing the feedback and adopting any relief or support measures for the whistleblower, resolving the report, and preparing reports on it.

Marketing Purposes  

1. conducting market surveys and creating surveys with the aim of improving the customer experience;
2. sending newsletters and commercial communications relating to the products and services of Gardaland and of the other companies belonging to the Merlin Group;
3. shootings and filming realization to create advertising and/or promotional content for Gardaland brand and attractions.

LEGAL BASIS 

Depending on the case, data are processed in the presence of one or more of the circumstances set out in Article 6(1)(a), (b), (c), (f) of the GDPR. The legal basis of the relevant processing will be indicated in each specific information notice provided below. 

WHEN PERSONAL DATA ARE COLLECTED 

Information is collected by the data controller at the time when the data subject: 

• registers on the pages of the Gardaland website, including the e-commerce website; 

• purchases products within the e-commerce site; 
• downloads and registers to Gardaland Apps;  
• subscribes to the newsletter; 
• buys tickets, extra services, passes, Gardaland Club for access to the parks; 
• books accommodation at one of the hotels, also by telephone reservation; 

• registers to use the Wi-Fi service at parks or hotels; 
• completes opinion surveys or participates in prize competitions;  
• contacts Gardaland's customer service for information.  

The Data Controller collects personal data of the data subject also indirectly through a member of the latter's family or from a third person when he/she buys a ticket/pass/Gardaland Club, books a stay at the hotels owned by Gardaland and/or buys further services through the Website, or, for example, when the data subject is a minor, and the parent or the person exercising parental responsibility takes part in a prize competition on his/her behalf. 

DATA RECIPIENTS AND TRANSFER 

For the pursuit of the processing purposes mentioned above, Gardaland needs to communicate the personal data collected to third parties in order to manage the activities, as well as to guarantee the services offered.  

Third parties could be: 

• service providers offering support in setting up the technical infrastructure of the various solutions available to users/customers; 
• professional firms, communication agencies, service delivery companies, etc; 
• subjects and competent authorities whose right to access the data is expressly recognised by law, regulations or measures issued by the authorities themselves; 

• law firms and other professional services firms (including auditors); 
• transferees of a company or business unit, companies resulting from any mergers, demergers or other transformations of Gardaland. 

Gardaland is also part of the Merlin Group, therefore, if necessary for the purposes for which the data was collected, it may communicate personal data to other companies in the Group. However, if you would like to know the list of all these persons to whom the data are disclosed, please write to protezione.dati@gardaland.it.  

Within the scope of the aforementioned purposes and in relation to the location, in particular of the servers, of Group companies or third parties, the data may also be transferred outside the EU, in compliance with the adequacy decisions (Article 45 GDPR), or in compliance with the appropriate guarantees of the EU Commission (Article 46 GDPR), or in any case in compliance with what is otherwise provided for by the provisions in force (Article 49 GDPR). To obtain copies of these guarantees or the place where they have been made available, please write to protezione.dati@gardaland.it. 

The various recipients of the data for each specific processing activity will also be indicated within each information notice below. 

PROCESSING METHODS AND INFORMATION SECURITY 

The data may only be processed by employees of the company departments responsible for pursuing the above purposes, who have been authorised by the data controller to do so and who have received adequate operating instructions. 

The personal data collected are processed by electronic and non-electronic means. Specifically, Gardaland adopts appropriate technical and organisational measures to maintain the security of the personal data collected, and to prevent loss and the illegal or improper use of the data. Gardaland also prevents unauthorised access to the data by installing electronic security systems and limiting the number of persons authorised to access the database servers. 

STORAGE TIMES 

Personal data collected will only be stored for as long as it is strictly necessary to fulfil the purposes for which they are processed or until the expiry of any statutory storage, processing and storage periods, unless otherwise specified in the data protection notices. 

Specifically: 

• data collected for Contractual Purposes shall be stored for the entire duration of the contract and for a further period of up to 10 years after the termination of the contract (e.g. existence of the account within the Website, registration to the Apps and or provision of Services also following a purchase made through the Website); 
• data collected for Legal Purposes will be stored for a period equal to the duration prescribed by law for each type of data processed; 
• the data collected for Legitimate Interest Purposes will be retained within Gardaland's infrastructure for a maximum period of 10 years from the date of collection in the case of processing aimed at enforcing and defending Gardaland's rights in any litigation while, with respect to processing aimed at carrying out activities functional to transfers of the company or company branch, acquisitions, mergers, demergers or other transformations and for the execution of such operations, the storage periods listed above will apply with respect to the main processing. With regard to the registration plate numbers of the cars of guests accessing the car’s park, this data will be stored by the Data Controller until the day after the guest's visit, then they will be automatically deleted;
• data collected for Marketing Purposes will be stored for a period of 2 years after collection.  

At the end of the storage period provided for each purpose, personal data will be deleted or anonymised and aggregated. 

DATA SUBJECTS’ RIGHTS 

In relation to the processing of his or her personal data, the data subject has the opportunity to exercise certain rights (Articles 15-22 of the GDPR).   

Specifically, the GDPR confers the right to access, rectify or erase personal data, restrict or oppose processing, and portability. 

Where processing is based on consent, the data subject has the right to withdraw consent to the processing of his or her personal data at any time, without prejudice to the lawfulness of the processing based on the consent given before such withdrawal.  

The data subject also has the right to lodge a complaint with the supervisory authority, which is the Italian Data Protection Authority, based in Rome at Piazza Venezia 11, or take the matter to the competent judicial authority.  

For the exercise of these rights, as well as for any request regarding data protection, the data subject may send a registered letter with return receipt to Gardaland S.r.l., Via Derna 4, 37014 Castelnuovo del Garda (VR), or alternatively contact Gardaland's Data Protection Officer by e-mail at: protezione.dati@gardaland.it. 

Gardaland S.r.l., in its capacity as Data Controller, collects and uses personal data of individuals who browse, purchase and register their account in the website www.gardaland.it (hereinafter the “Website”). 

This policy is provided only for the Gardaland S.r.l. website and not also for other websites that may be browsed by the user via links found at the URL www.gardaland.it 

TYPE OF DATA PROCESSED 

Browsing data 

The computer systems and software used to operate the Website acquire in the course of their normal operation certain data whose transmission is implicit in the use of Internet communication protocols. This information is not gathered in order to be associated with identified data subjects, but by its very nature it might allow users to be identified through processing and association with data held by third parties. 

This category of data includes the IP addresses or domain names of the computers used by users connecting to the Website, the URI/URL (Uniform Resource Identifier/Locator) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and IT environment. 

These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check that it is functioning properly, and is retained only for the time required by the relevant legislation. The data could be used to ascertain liability in the event of computer crimes against the Website. 

Data provided voluntarily by the user 

In some cases, in order to use the various services offered by the Website, users will be required to give their personal data to the Controller. The provision of personal data is entirely voluntary, but, in some cases, failure to provide such data will make it impossible to provide the service in question. 

Cookies 

Gardaland collects personal data through cookies. For full details on the use of cookies in the Website, you can directly access the Cookie Policy at this link https://www.gardaland.it/sicurezza-privacy/politica-sui-cookies/ 

PURPOSE  

The purposes of the processing of personal data in the Website are as follows: 

1. to allow access to services available on this Website, such as the "Online Shop", "Book Hotels" and "Buy Tickets and Season Passes"; 
2. to respond to customer requests received on the Website and the Social media managed by Gardaland, including through the use of chatbot service;
3. to send commercial messages related to offers and products marketed by the Data Controller through newsletters and text messages, also by classifying users by country of origin; 
4. for administrative/accounting purposes; 
5. to allow browsing on website, improving the quality of services already provided. to guarantee the stability of the system, and security of data and activity. for the purposes listed in this section, aggregate data are also collected for internal performance evaluation. 
6. to allow speculative applications to be sent via the Merlin portal, which can be accessed from the Website in the "Jobs" section; 
7. to manage content on social networks and moderate the Controller's social media pages (e.g. Facebook, Instagram, LinkedIn, etc.).  

The provision of personal data for the above-mentioned purposes is optional. However, failure to provide such data would not allow the proper handling of any request made or the possibility of establishing a contractual relationship.  

You can always contact the Data Controller or the DPO to request information on the processing of personal data. 

LEGAL BASIS  

Personal data are collected according to different legal bases applicable to each processing purpose: 

• performance of a contract or pre-contractual measures (Article 6, par. 1, (b) GDPR) in order to make purchases on the Controller's various portals, send applications, as well as follow up on customer requests received on the Website and the Social media managed by Gardaland, including through the use of chatbot service;
• consent (Article 6, par. 1, (a) GDPR) for commercial and marketing purposes, such as sending newsletters, as indicated by point 3 of the paragraph “Purpose”; 
• regulatory obligations of the Data Controller (Article 6, par. 1, (c) GDPR) for administrative/accounting purposes; 

• legitimate interest of the Data Controller (Article 6, par. 1, (f) GDPR) for the purposes indicated by point 5 of the paragraph “Purpose”. 
• legitimate interest of the Controller (Article 6, par. 1, (f) GDPR) as well as consent for uploaded content (Article 6, par. 1, (a) GDPR) for the purposes referred to in point 7 of the paragraph "Purpose". 

The data subject may in any case ask the Data Controller to clarify the actual legal basis of each type of processing and, in particular, to specify whether said processing is based on the law, or is provided by contract or a legitimate interest. 

Your data may also be processed in order to fulfil a legal obligation to which the Data Controller is bound, as well as for the Data Controller’s legitimate interest in order to obtain statistical data and ensure the security of this Website. 

The data subject may obtain further information about the legitimate interest pursued by the Data Controller at any time or withdraw consent by contacting the Data Controller at the e-mail address protezione.dati@gardaland.it. 

STORAGE TIMES 

All data acquired may not be used for any purpose other than those mentioned above and will be kept for the period necessary to achieve those purposes. 

In particular, the data collected to issue the season pass and to pursue the legitimate interests of the Controller are retained for 10 years, while the data collected for administrative/accounting purposes are retained for the time indicated by the applicable regulations. 

With regard to the purposes set out in point 3, for which the express consent of the data subject is required, the data are stored for a total of 24 months from the moment the consent is given or until it is revoked, without prejudice to the lawfulness of the processing in the period of consent. 

At the end of the above periods and once the above purposes have been fulfilled, the user’s personal data will, as a rule, be deleted or anonymized; personal data may however be retained for a longer period of time only when this is required by law or with the consent of the data subject. 

RECIPIENTS AND TRANSFER 

The data are processed at the operating offices of the Data Controller and in any other place where the parties involved in the processing are located. The user's personal data may be transferred to a country other than the country in which the data subject is located. Should one of the transfers described take place, the user may request information from the Controller by contacting it at the e-mail addresses/telephone numbers given above. 

In addition to the Data Controller, in some cases, other individuals involved in the organisation of this Website (administrative, sales, marketing and legal staff, system administrators) or external parties (such as third-party technical service providers, hosting providers, IT companies, communication agencies) also appointed, if necessary, as Data Processors by the Data Controller, may have access to the data. The updated list of Data Processors may always be requested from the Data Controller. 

Gardaland S.r.l, in its capacity as Data Controller, collects and uses the personal data of those who use the "Gardaland Resort" App. 

For further information on the data processing, data subjects may refer to the specific information provided in the App. 

Gardaland S.r.l, in its capacity as Data Controller, collects and uses the personal data of those who use the Gardaland Express App to use the benefits deriving from the purchase of the season pass/Gardaland Club, or simply of the time-saving admissions. 

For further information on the data processing, data subjects may refer to the specific information provided in the App. 

This is to inform you about the processing of your personal data in relation to the services provided by the Hotels of Gardaland S.r.l. (Gardaland Resort Hotel, Gardaland Magic Hotel, Gardaland Adventure Hotel). The processing is carried out in accordance with the criteria set forth in the European Data Protection Regulation, EU Reg. 2016/679 ("GDPR"). According to the aforementioned legislation, the processing will be based on the principles of fairness, lawfulness and transparency and the protection of your confidentiality and rights. 

Gardaland may modify this Policy in order to keep it up to date with new regulatory interventions regarding privacy or any changes that may be made in personal data processing. The Privacy Policy should therefore be read regularly, in order to keep up to date with the type of data Gardaland collects, and how said data are used and shared. 

DATA CONTROLLER AND CONTACT DETAILS 

The Data Controller with regard to the services provided by the Hotels is the company Gardaland S.r.l. ("Controller" or "Gardaland"), VAT No. 05431170967, in the person of the current legal representative, with registered office in Via Derna 4, 37014 Castelnuovo del Garda (VR), acting in the name and on behalf of the company Gardaland Holidays S.r.l.. 

The contact for privacy issues is the e-mail address: protezione.dati@gardaland.it. Gardaland has also appointed its own Data Protection Officer (DPO) who can also be contacted at the email address protezione.dati@gardaland.it. 

DATA SUBJECTS 

The data subjects involved in the processing of personal data by Gardaland for the purposes and processing activities referred to in the following sections are the following: 

• Guests 

• Potential guests 

• Suppliers/Business Partners 

• Employees 

TYPE OF DATA PROCESSED 

In order to make use of the services provided by the Hotels, the Data Controller shall collect the following mandatory data: first name, surname, gender, I.C./passport number, residential address, nationality, e-mail address, telephone number and payment details. 

The provision of the above-mentioned Data is mandatory. Failure to provide the Data, even partially, will result in the Data Controller being unable to establish and/or continue the relationship with the Guest.  

PURPOSES AND LEGAL BASIS OF THE PROCESSING 

Personal data are collected for the following purposes and processed according to the specific legal bases: 

1. enable the user to browse within the Website and create the relevant access profile to manage and view bookings made; falling under the legal basis provided for in Article 6(1)(b) GDPR; 

2. execute pre-contractual measures (such as, for example, the request for information or quote), falling under the legal basis provided for in Article 6(1)(b) GDPR. In the case of the provision of Special Data, the legal basis for the processing is also the consent of the data subject; 

3. management of the contractual relationship, provision of the requested service, acquiring and confirming the booking of accommodation and ancillary services, performing the web check-in and pre-check-in service prior to the customer's arrival at the facility; falling under the legal basis provided for in Article 6(1)(b) GDPR. In the case of the provision of Special Data, the legal basis for the processing is also the consent of the data subject; 

4. organise meetings, conferences and private events falling under the legal basis of Article 6(1)(b) GDPR; 

5. comply with the obligation provided for by the “Testo unico delle leggi di pubblica sicurezza (Italian Consolidated Law on Public Security)” (Article 109 Royal Decree 18.6.1931 no. 773), which requires the data controller to communicate to the Police Headquarters, for public security purposes, the personal details of the guests in accordance with the procedures established by the Ministry of the Interior (Decree of 7 January 2013); falling under the legal basis provided for in Article 6(1)(c) GDPR; 

6. administrative purposes and for the fulfilment of legal obligations such as accounting, tax, or to comply with requests from judicial authorities falling under the legal basis provided for in Article 6(1)(c) GDPR; 

7. periodic sending, by e-mail, of newsletters and commercial communications subject to the granting of specific consent (marketing purposes); falling under the legal basis provided for in Article 6(1)(a) GDPR; 

8. allow the Data Controller to carry out surveys aimed at improving the quality of the service provided (“Customer Satisfaction”) on the basis of the legitimate interest of the Controller to verify the quality of the contractual service rendered to the Customer; falling within the legal basis provided for in Article 6(1)(f) GDPR; 

9. for the purpose of protecting persons, property and assets of the company through a video surveillance system of certain areas of the facility, identifiable by the presence of appropriate signs, in order to protect persons and assets against any aggression, theft, robbery, damage, vandalism and for the purpose of fire prevention and work safety; falling within the legal basis provided for in Article 6(1)(f) GDPR; 

10. the establishment, exercise or defence of a right in all competent forums, including out-of-court procedures, falling under the legal basis provided for in Article 6(1)(f) GDPR. 

Furthermore, please note that in the event that the Data Subject transmits, spontaneously and/or during his/her stay, personal data falling into the special categories pursuant to Article 9 GDPR (i.e. personal data revealing " racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation"), the processing of such data by the Data Controller will have as its legal basis the consent pursuant to Articles 6(1)(a) and (7) GDPR. 

Finally, it should be noted that in order to better manage your file, where necessary, further personal data may be requested by the Data Controller, which will be processed in compliance with the privacy regulations and the indications contained in this information notice. 

 
PROCESSING METHODS AND INFORMATION SECURITY 

The processing of the Data is carried out by the Data Controller by means of collection, recording, organisation, storage, consultation, processing, modification, comparison, use, interconnection, selection, extraction, blocking, communication, deletion and destruction of the Data. 

The Data are processed by means of electronic or automated, computerised, telematic and/or paper-based tools and in any case in the manner strictly necessary to fulfil the above-mentioned purposes. 
Data may be collected by the Data Controller, in addition to the form in question, through its postal and telephone addresses. 

The Data are recorded and stored by the Data Controller in computer and/or paper archives, as well as kept and controlled in such a way as to guarantee their security and confidentiality, in compliance with the aforementioned legislation on the protection of personal data. 

Their processing is carried out by means of employees and contractors of the Data Controller, expressly identified and authorised for the processing (pursuant to Article 29 GDPR), as well as by persons external to the company organisation of the Data Controller, appointed for this purpose, if necessary, as Data Processors (pursuant to Article 28 GDPR). 

The Data are not subject to dissemination, nor to any fully automated decision-making process, including profiling. 

 
DATA RECIPIENTS  

The Data may be disclosed, to the extent strictly pertinent to the obligations, tasks and purposes set out above and in compliance with the applicable legislation, to the following categories of subjects: 
a. external natural and/or legal persons authorised to process the data indicated in point 3 above (e.g.: suppliers of IT systems, consultants, professional firms, insurance companies, etc.); 
b. other companies controlled by and/or connected to the Data Controller that are part of “Merlin”; 
c. subjects to whom such communication must be made in order to fulfil or require the fulfilment of specific obligations provided for by laws, regulations and/or national and EU legislation. 

TRANSFER OF DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANISATIONS 

As part of the management of the relationship with the Data Controller, the Data may be transferred to countries outside the EU and/or to international organisations, such as other companies and entities belonging to the Merlin group. In such cases, the Data Controller will take all appropriate security, protection and confidentiality measures aimed at protecting the Data, in compliance with current privacy legislation. 

Specifically, within the scope of the aforementioned purposes and in relation to the location, in particular of the servers, of Group companies or third parties, the data may also be transferred outside the EU, in compliance with the adequacy decisions (Article 45 GDPR), or in compliance with the appropriate guarantees of the EU Commission (Article 46 GDPR), or in any case in compliance with what is otherwise provided for by the provisions in force (Article 49 GDPR). To obtain copies of these guarantees or the place where they have been made available, please write to protezione.dati@gardaland.it. 

 
STORAGE TIMES 

Personal data collected will only be stored for as long as it is strictly necessary to fulfil the purposes for which they are processed or until the expiry of any statutory storage, processing and storage periods. 

Specifically: 

• data collected for Contractual Purposes will be stored for the duration of the Contract and for a further maximum period of 10 years after its termination; 

• data collected for Legal Purposes will be stored for a period equal to the duration prescribed by law for each type of data processed; 

• the data collected for Legitimate Interest Purposes will be retained within Gardaland's infrastructure for a maximum period of 10 years from the date of collection in the case of processing aimed at enforcing and defending Gardaland's rights in any litigation while, with respect to processing aimed at carrying out activities functional to transfers of the company or company branch, acquisitions, mergers, demergers or other transformations and for the execution of such operations, the storage periods listed above will apply with respect to the main processing; 

• data collected for Marketing Purposes will be stored for a period of 2 years after their collection, unless consent is revoked by the data subject. 

DATA SUBJECTS’ RIGHTS 

In relation to the processing of his or her personal data, the data subject has the opportunity to exercise certain rights (Articles 15-22 of the GDPR).   

Specifically, the GDPR confers the right to access, rectify or erase personal data, restrict or oppose processing, and portability. 

Where processing is based on consent, the data subject has the right to withdraw consent to the processing of his or her personal data at any time, without prejudice to the lawfulness of the processing based on the consent given before such withdrawal.  

The data subject also has the right to lodge a complaint with the supervisory authority, which is the Italian Data Protection Authority, based in Rome at Piazza Venezia 11, or take the matter to the competent judicial authority.  

For the exercise of these rights, as well as for any request regarding data protection, the data subject may send a registered letter with return receipt to Gardaland S.r.l., Via Derna 4, 37014 Castelnuovo del Garda (VR), or alternatively contact Gardaland's Data Protection Officer by e-mail at: protezione.dati@gardaland.it. 

Gardaland S.r.l, in its capacity as Data Controller, collects and uses the personal data of those who purchase and make use of the tickets for access to the Park, time-saving entrances, parking entrances and Photo Passes (hereinafter referred to as "Tickets" for the sake of brevity). 

TYPE OF DATA PROCESSED  

The personal data processed by the Data Controller necessary for the purchase of Tickets are: first name, last name, email, date of birth, province and country of residence.   

The additional data requested, such as mobile number, are optional and only necessary to pursue the purposes for which express consent is required (see the purposes indicated by point 3 of the next section of this privacy policy). 

PURPOSE  

In the case of Tickets offered by Gardaland, your personal data will only be processed for the purpose of issuing them, unless you expressly agree to any other use of your data (see the purposes indicated by point 3). The Ticket cannot be issued if you do not provide the personal data requested in the purchase form.  

The purposes of the processing of personal data relating to the purchase and subsequent issue of the Ticket are as follows: 

1. to allow the purchase, issue and use of the Ticket for park access, time-saving entrances, car park entrance and Photo Pass; 
2. for administrative/accounting purposes; 
3. to send commercial messages through newsletters and text messages, even by classifying users by country of origin; 
4. to allow browsing on website, improving the quality of services already provided. Guarantee the stability of the system, and security of data and activity. Ensure the correctness of web transactions, in compliance with the anti-fraud law. For the purposes listed in this section, aggregate data are also collected for internal performance evaluation. 

LEGAL BASIS  

Personal data are collected according to different legal bases applicable to each processing purpose: 

• performing a contract (Article 6(1)(b) GDPR) in order to purchase the Ticket; 
• regulatory obligations of the Data Controller (Article 6, par. 1, (c) GDPR) for administrative/accounting purposes; 
• consent expressed by the subject (Article 6(1)(a) GDPR) for commercial and marketing purposes, such as sending newsletters and text messages as indicated by point 3 of the paragraph “Purposes”; 
• legitimate interest of the Data Controller (Article 6(1)(f) GDPR) for the purposes indicated by point 4 of the paragraph “Purposes”. 

The data subject may always ask the Data Controller to clarify the concrete legal basis of each act of processing and, in particular, to specify whether the processing is based on law, provided for by contract or legitimate interest. 

Where the legal basis is legitimate interest, the data subject may at any time obtain further information on the purpose pursued by the Data Controller and withdraw the consent given for the pursuit of the specific purposes requiring it by contacting the Data Controller at protezione.dati@gardaland.it. 

DATA RECIPIENTS AND TRANSFER 

The data are processed at the operating offices of the Data Controller and in any other place where the parties involved in the processing are located. 

The data collected and processed will not be disseminated, but may be disclosed solely for the above purposes to other companies and entities of the Merlin group, even those located abroad in or outside the EU. The level of data protection in non-EU countries may differ from the level of protection within the European Union. In the case in question, said transfer is made on the basis of Article 49(b) of the GDPR.  

Personal data may also be transferred to public bodies and administrations, professional firms, individual external professionals, service companies, hosting providers, IT companies, communications agencies (e.g. in connection with all the administrative and operational management requirements of the prize competition/contest and for the fulfilment of legal obligations arising therefrom), to third parties to whom the data must be communicated in order to fulfil legal obligations, or to comply with orders from public authorities legitimately empowered to do so, or for the purposes of judicial or extrajudicial protection of corporate interests - its own and/or those of third parties. 

The accounting/tax data may be disclosed to duly appointed external parties who carry out activities on behalf of the Data Controller such as, but not limited to: chartered accountants, credit institutions and related external professionals. The data in question may be transferred to IT partners selected to provide services related to the contract, who will guarantee the same level of technical and organizational protection guaranteed by the Data Controller.  

It is always possible to ask the Data Controller for an updated list of external Data Processors. 

STORAGE TIMES 

In general, data are stored by the Data Controller for the period required to perform the above purpose(s). 

In particular, the data are stored for 10 years in relation to the purpose of issuing the Ticket, as well as for the pursuit of the legitimate interests of the Data Controller, and for the time indicated by the applicable regulations with reference to administrative/accounting purposes. 

With regard to the purposes set out in point 3, for which the express consent of the data subject is required, the data are stored until the consent given is revoked and in any case for a maximum period of 24 months after it has been conferred. 

With reference to purpose no. 4, the data are retained by the Data Controller for the period necessary for the execution of the above-mentioned purpose(s), and in any case for the time stipulated by the relevant legislation for the related purposes.  

At the end of the above-mentioned periods and once the above-mentioned purposes have been fulfilled, personal data are, as a rule, deleted or anonymised; they may, however, only be stored for a longer period of time where required by law or, alternatively, after obtaining the consent of the data subject. 

Gardaland S.r.l, in its capacity as Data Controller, collects and uses the personal data of those who purchase and benefit from a seasons pass to the Park and/or from the Gardaland Club Membership (hereinafter, for the sake of convenience, referred to as “Season Pass(es)”). 

TYPE OF DATA PROCESSED 

The personal data processed by the Data Controller required for the season pass and participation in any events reserved for season pass holders are: first name, surname, email, date of birth, province and country of residence and passport photo. Participation in certain competitions may involve the processing of data related to use of the season pass, such as the number of accesses to the park. This data will be used to create a ranking that will reward the customers who have made the most visits to the park. These data will not be processed by means of automated decision-making, including profiling, but only by means of human intervention when recording accesses.  

The additional data requested, such as mobile number, are optional and only necessary to pursue the purposes for which express consent is required (see the purposes indicated by point 3 of the next section of this privacy policy). 

PURPOSE  

In the case of season passes offered by Gardaland, your personal data will only be processed for the purpose of issuing the season pass, unless you expressly agree to any other use of your data (see the purposes indicated by point 3). The season pass cannot be issued if you do not provide the personal data requested in the purchase form.  

The purposes of the processing of personal data relating to the purchase and subsequent issue of the season pass are as follows: 

1. to allow the purchase, issue and use of the season pass for access to the park; 
2. for administrative/accounting purposes; 
3. to send commercial messages through newsletters and text messages, even by classifying users by country of origin; 
4. to enable season pass holders to participate in prize competitions and events, manage the fulfilment of the competition regulations and perform all activities necessary for the proper conduct and conclusion of prize competitions and events in accordance with the law (e.g. identification of winners, delivery, shipment of prizes, etc.); 
5. to protect the company assets, security and safety, and company organization; specifically, for the purpose of processing the photograph image of the data subject on the subscription in order to check its correct and non-fraudulent use; 
6. to allow browsing on website, improving the quality of services already provided. Guarantee the stability of the system, and security of data and activity. Ensure the correctness of web transactions, in compliance with the anti-fraud law. For the purposes listed in this section, aggregate data are also collected for internal performance evaluation. 

LEGAL BASIS  

Personal data are collected according to different legal bases applicable to each processing purpose: 

• signing a contract (Article 6(1)(b) GDPR) in order to purchase the season pass for access to the park, as well as participation in prize competitions organised by Gardaland; 
• regulatory obligations of the Data Controller (Article 6, par. 1, (c) GDPR) for administrative/accounting purposes; 

• consent expressed by the subject (Article 6(1)(a) GDPR) for commercial and marketing purposes, such as sending newsletters and text messages as indicated by point 3 of the paragraph “Purposes”; 
• legitimate interest of the Data Controller (Article 6(1)(f) GDPR) for the purposes indicated by points 4, 5 and 6 of the paragraph “Purposes”. 

The data subject may always ask the Data Controller to clarify the concrete legal basis of each act of processing and, in particular, to specify whether the processing is based on law, provided for by contract or legitimate interest. 

Where the legal basis is legitimate interest, the data subject may at any time obtain further information on the purpose pursued by the Data Controller and withdraw the consent given for the pursuit of the specific purposes requiring it by contacting the Data Controller at protezione.dati@gardaland.it. 

RECIPIENTS AND TRANSFER 

The data are processed at the operating offices of the Data Controller and in any other place where the parties involved in the processing are located. 

The data collected and processed will not be disseminated, but may be disclosed solely for the above purposes to other companies and entities of the Merlin group, even those located abroad in or outside the EU. The level of data protection in non-EU countries may differ from the level of protection within the European Union. In the case in question, said transfer is made on the basis of Article 49(b) of the GDPR.  

Personal data may also be transferred to public bodies and administrations, professional firms, individual external professionals, service companies, hosting providers, IT companies, communications agencies (e.g. in connection with all the administrative and operational management requirements of the prize competition/contest and for the fulfilment of legal obligations arising therefrom), to third parties to whom the data must be communicated in order to fulfil legal obligations, or to comply with orders from public authorities legitimately empowered to do so, or for the purposes of judicial or extrajudicial protection of corporate interests - its own and/or those of third parties. 

The accounting/tax data may be disclosed to duly appointed external parties who carry out activities on behalf of the Data Controller such as, but not limited to: chartered accountants, credit institutions and related external professionals. The data in question may be transferred to IT partners selected to provide services related to the contract, who will guarantee the same level of technical and organizational protection guaranteed by the Data Controller.  

It is always possible to ask the Data Controller for an updated list of external Data Processors. 

STORAGE TIMES 

In general, data are stored by the Data Controller for the period required to perform the above purpose(s). 

In particular, the data are stored for 10 years in relation to the purpose of issuing the season pass, as well as for the pursuit of the legitimate interests of the Data Controller, and for the time indicated by the applicable regulations with reference to administrative/accounting purposes. 

With regard to the purposes set out in point 3, for which the express consent of the data subject is required, the data are stored until the consent given is revoked and in any case for a maximum period of 24 months after it has been conferred. 

With reference to purpose no. 4, the data are stored by the Data Controller for the entire duration of prize competitions/events, i.e. for the period necessary to fulfil the above-mentioned purpose(s), and in any case for the time stipulated by the sector regulations for the purposes connected with such prize competitions/events. The data acquired in the course of prize competitions/events will be stored even after the end of the initiatives for the further statutory period of limitation and/or for legal defence within a maximum period of 10 years, for all data subjects who are winners, from the end of the prize competitions/events and/or from the last use and/or event interrupting the limitation period, or, if later, from any notification of updating or rectification of such data that may be received directly from the data subjects for reasons connected with the prize competitions/events; 12 months, in the case of all participants who are not winners, from the end of prize competitions/events and/or the last use and/or limitation interrupting event. 

At the end of the above-mentioned periods and once the above-mentioned purposes have been fulfilled, personal data are, as a rule, deleted or anonymised; they may, however, only be stored for a longer period of time where required by law or, alternatively, after obtaining the consent of the data subject. 

Gardaland S.r.l, in its capacity as Data Controller, collects and uses personal data of those who browse, purchase and register their account within the website www.eshop.gardaland.it. 

For further information on data processing, data subjects may refer to the information notice on the e-commerce website at: https://eshop.gardaland.it/policies/privacy-policy 

In relation to the competitions offered by Gardaland, the data of the data subject will only be used for the purposes of processing the competition, unless explicit consent is given to use them for other purposes. Participation in the competition is not possible without the provision of certain personal data.  

Insofar as this results from the terms of participation, the data required for the implementation of the competition will be collected from other sources, in particular from the internal ticket/season pass/Gardaland Club purchase database. 

PURPOSE AND LEGAL BASIS 

Below are the purposes of the processing of personal data relating to prize competitions/events: 

1. allowing registration and participation in competitions and prize events; 
2. making it possible to draw up a list of customers entitled to participate; 
3. managing the fulfilments related to the competition regulations and carrying out all activities necessary for the proper conduct of competitions and prize events (e.g. identification of winners, delivery, shipment of prizes, etc.); 
4. carrying out all operations necessary to conduct competitions and prize events in accordance with the law; 
5. fulfilling obligations laid down by law, regulations or Community legislation and to assert or defend a right of Gardaland in the appropriate venues; 
6. publishing, subject to the acquisition of a specific and free consent from the data subject, the list/picture of the winners on the company's social media channels (Instagram/Facebook) or other means of communication and/or dissemination in accordance with the provisions of the competition and prize event regulations and detailed in the disclaimers that will be signed by the winners; 
7. using the personal data collected for internal and external corporate communication, in accordance with what is better detailed in the specific release forms that will be signed by the participants and/or winners. To this end, this notice may be supplemented by subsequent notices. 

For the aforementioned purposes Gardaland will process personal data according to the legal bases set forth in Article 6(1)(a), (b), (c) and (f) of the GDPR. 

DATA RECIPIENTS AND TRANSFER 

The data collected by Gardaland S.r.l. will be communicated to the following categories of recipients, who will process them as autonomous data controllers or as designated data processors pursuant to Article 28 GDPR: 

• professional firms, individual external professionals, service supply companies, hosting providers, IT companies, communication agencies, or in any case external companies designated as data processors that process the data on behalf of Gardaland (also in relation to all the administrative and operational management requirements of the competition/prize contest and for the fulfilment of the legal obligations deriving therefrom, as well as for the management of any relevant websites); 
• public bodies and administrations; 
• postal or other mail delivery companies (carriers/forwarders). Personal data will in any case not be disclosed, unless the service itself requires publication of the name; 

• third parties to whom the data must be disclosed in order to fulfil legal obligations, or to comply with orders from public authorities empowered to do so, or for the purposes of judicial or extrajudicial protection of corporate interests - its own and/or those of third parties; 
• companies belonging to the Merlin group, including those located abroad in the EU or outside the EU. The level of data protection in non-EU countries may differ from the level of protection within the European Union. In the case in question, said transfer is made on the basis of Art. 49(b) of the GDPR. 

PROCESSING METHODS 

The personal data collected/conferred are processed lawfully, fairly and transparently towards the data subject. 

The processing will be carried out using manual and/or computerised and/or telematic tools, with organisation and processing logics strictly related to the purposes and in any case in such a way as to guarantee the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures laid down by the provisions in force. 

It is possible that, on the occasion of specific prize competitions/events, a special page may be opened within the Website in order to access participation and the regulations.  

STORAGE TIMES 

In general, the data are stored by the Data Controller for the entire duration of prize competitions/events, i.e. for the period necessary to fulfil the above-mentioned purpose(s), and in any case for the time stipulated by the sector regulations for the purposes connected with prize competitions/events. At the end of the above period and once the above purposes have been fulfilled, the personal data will, as a rule, be deleted or anonymized; personal data may however be stored for a longer period of time only when this is required by law or with the consent of the data subject. 

The data acquired in the course of prize competitions/events will be stored even after the end of the initiatives for the further statutory period of limitation and/or for legal defence within a maximum period of 10 years, for all data subjects who are winners, from the end of the prize competitions/events and/or from the last use and/or event interrupting the limitation period, or, if later, from any notification of updating or rectification of such data that may be received directly from the data subjects for reasons connected with the prize competitions/events; 12 months, in the case of all participants who are not winners, from the end of prize competitions/events and/or the last use and/or limitation interrupting event. 

Storage for needs other than those described herein will be specified at the same time as the specific release form that will be submitted to the data subjects in connection with further processing. 

Gardaland S.r.l., in its capacity as Data Controller, processes the personal data of candidates for job positions within the Gardaland Resort for purposes connected to the personnel selection process. 

For further information on the processing of data, each candidate may refer to the information notice within each job position in the "Work with us" section of the Gardaland website, in addition to the privacy notice given upon any first contact. 

Gardaland S.r.l., in its capacity as Data Controller, is in possession of the personal data of its employees for the fulfilment of legal obligations, the execution of employment contracts, the performance of work and/or in the event that legitimate interests of the company should require it, after checking the balance of interests. 

For more information on data processing, employees may refer to the general information notice given at the time of employment. 

In connection with certain processing activities, additional information is provided with ad hoc information notices or by means of specific documents. 

Closed-circuit video surveillance systems are in operation, consisting of indoor and outdoor digital cameras and a digital video recorder, at the Gardaland Park, LEGOLAND® Water Park, Aquarium Sea Life, the Hotels (Gardaland Hotel, Gardaland Adventure Hotel and Gardaland Magic Hotel), in the parking areas, and at all its production units and administrative offices. Gardaland will therefore process the image viewed and/or recorded through closed circuit video surveillance systems of the people who will access its premises.  

The refusal to provide data makes it impossible for the Data Controller to allow the data subject access to the above premises. Indeed, access to the video-surveillance zones involves the collection, recording, storage and, in general, use of the images of those concerned, as well as further data, e.g. the registration number of the car, which indirectly enable the identification of the person concerned.

Video-surveillance activities are carried out in compliance with the principle of proportionality in the choice of filming methods and the location of filming equipment, and the processing of data is pertinent and does not exceed the purposes pursued below. 

DATA SUBJECTS 

The subjects potentially affected by the processing of personal data by Gardaland for the purposes and processing activities referred to in this section are visitors, suppliers and employees of the company.

PURPOSE AND LEGAL BASIS  

The system is installed and operational for the purposes listed below, which correspond to the legal basis of the legitimate interest of the Data Controller: 

• public order, crime prevention and detection;  
• safety on the workplace; 
• protection of company property; 
• monitoring of vehicle and aircraft movement areas;  
• safety check of some operating areas and installations. 

PROCESSING METHODS AND INFORMATION SECURITY 

The data collected through the video surveillance system will only be those necessary to achieve the purposes stated above, subject to police and judicial requirements, and will not be disclosed or communicated to third parties. Images will be used in compliance with the indications contained in the authorisation orders issued by the competent authorities. No changes will be made to the system and no further equipment will be added except in accordance with Article 4 of Law No. 300/1970 as amended by Article 23 of Legislative Decree No. 151/2015, and in any case notice will be given to those visiting the company premises.  

Access to areas under video surveillance will be signposted with appropriate signs. 

Only those persons authorised by the Data Controller for the specific processing will have access to the images, if necessary, to pursue the purposes for which the system was authorised or in the event of an explicit request by the Public Authorities. 

STORAGE TIMES 

The storage time of the collected data recordings will be in accordance with the terms set out in the authorisation order of the Italian Data Protection Authority, i.e. for a maximum period of 30 days from the time the images were taken. After this deadline, the images will be automatically deleted by overwriting them with new images, without prejudice to the needs of specific investigative requests by the Judicial Authority or the Judicial Police. 

DATA RECIPIENTS AND TRANSFER 

All the data collected and processed will never be disclosed outside the company, but may be communicated and transferred, for the aforementioned purposes only, to subjects carrying out supervisory, control and prevention tasks, as well as to any public entity entitled to request the data, such as judicial and/or public security authorities. 

The Data may be processed, on behalf of the Data Controller, by parties designated as external data processors, such as companies that provide control and surveillance services and companies that provide maintenance services for the video surveillance system. 

It should be noted that the data subjects, should they need to view their images, must first proceed by means of a report/complaint to the competent authority, which, at its sole discretion, may then request the extraction of the images from the Data Controller within the aforementioned retention period. 

RIGHTS OF THE DATA SUBJECT  

Without prejudice to the pursuit of the aforementioned purposes, the data subject has the right to exercise, where provided for by law and compatibly with the type of processing, the rights referred to in Article 13(b) of the GDPR and, in particular, the right to ask the Data Controller for access to personal data, to have them erased, to restrict the processing concerning him/her and to object to the processing. The right of access will be allowed only and exclusively after reporting/complaint to the competent authority, which, at its sole discretion, may subsequently request the extraction of the images from the Data Controller within the aforementioned storage period. 

The data subject also has the right to lodge a complaint with the supervisory authority, i.e. the Garante per la protezione dei dati personali (Italian Data Protection Authority), based in Rome, Piazza Venezia, 11. 

For the exercise of these rights, as well as for any request regarding data protection, the data subject may send a registered letter with return receipt to Gardaland S.r.l., Via Derna 4, 37014 Castelnuovo del Garda (VR), or alternatively contact Gardaland's Data Protection Officer by e-mail at: protezione.dati@gardaland.it. 

For each request for the exercise of rights made by a data subject, the Data Controller reserves the right to assess the feasibility of the proposed request in the light of the purposes pursued, as well as of the sectoral legislation.  

In this section the Data Controller Gardaland S.r.l. informs you about the processing of personal data collected through the customer service in order to obtain information, as well as to make and manage reports and/or complaints. Such reports/contact requests may be made both physically inside the Park, at the service points, as well as through online forms and digital channels by contacting Gardaland at the e-mail address infobox@gardaland.it and certified email gardaland@legalmail.it. 

DATA SUBJECTS 

The data subjects potentially involved in the processing of personal data by Gardaland for the purposes and processing activaities referred to in the following sections are the data subjects making requests/complaints, i.e. Customers/potential Customers. 

TYPE OF DATA PROCESSED 

Certain personal data will be collected through the forms provided, including by way of example: name, surname, e-mail address, etc. 

If it is necessary to obtain certain types of data in order to process the request, the Data Controller will mark the mandatory fields within the forms with an asterisk (*). 

With regard to the provision of further, non-compulsory data, the provision of such data is optional on the part of the data subject. In this case, data subjects are therefore free to refrain from communicating such data, without this having any consequence on the processing of their request. 

PURPOSES AND LEGAL BASIS OF THE PROCESSING 

Data may be processed for the following purposes: 

1. fulfilment of pre-contractual commitments or the performance of the contract, e.g. request for information, handling of reports and/or complaints, falling under the legal basis provided for in Article 6(1)(b) GDPR; 
2. fulfilment by the Data Controller of legal obligations imposed by sector (administrative, accounting, etc.), national and European legislation applicable to the existing relationship and/or related and/or instrumental activities, falling within the legal basis provided for in Article 6(1)(c) GDPR; 
3. legitimate interest of the Data Controller for the purpose of carrying out internal audits, to maintain the historical list of Data relating to reports and/or complaints received for purposes related to the management of business and quality processes, as well as to prevent any fraud, falling under the legal basis provided for in Art. 6(1)(f) GDPR; 
4. legitimate interest of the Data Controller in connection with the establishment, exercise or defence of a right in all competent forums, including out-of-court procedures, falling under the legal basis provided for in Article 6(1)(f) GDPR. 

Furthermore, please note that in the event that the data subject transmits, spontaneously and/or through the forms provided by the Data Controller, personal data falling into the special categories pursuant to Article 9 GDPR (i.e. personal data revealing "racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation"), the processing of such data by the Data Controller will have as its legal basis the consent pursuant to Articles 6(1)(a) and (7) GDPR. 

PROCESSING METHODS AND INFORMATION SECURITY 

The processing of the Data is carried out by means of collection, recording, organisation, storage, consultation, processing, modification, comparison, use, interconnection, selection, extraction, blocking, communication, deletion and destruction of the Data. 

The Data are processed by means of electronic or automated, computerised, telematic and/or paper-based tools and in any case in the manner strictly necessary to fulfil the above-mentioned purposes. Data may be collected by the Data Controller, in addition to the form in question, through its postal and telephone addresses. 

The Data are recorded and stored by the Data Controller in computer and/or paper archives, as well as kept and controlled in such a way as to guarantee their security and confidentiality, in compliance with the aforementioned legislation on the protection of personal data. 

Their processing is carried out by employees and contractors of the Data Controller, expressly identified and authorised for the processing (pursuant to Article 29 GDPR), as well as by persons external to the company organisation of the Data Controller, appointed for this purpose, if necessary, as Data Processors (pursuant to Article 28 GDPR). 
The Data are not subject to dissemination, nor to any fully automated decision-making process, including profiling. 

DATA RECIPIENTS AND TRANSFER 

The Data may be disclosed, to the extent strictly pertinent to the obligations, tasks and purposes set out above and in compliance with the applicable legislation, to the following categories of subjects: 

• external natural and/or legal persons authorised to process the data indicated in point 3 above (e.g.: call centres, suppliers, consultants, professional firms, insurance companies, etc.); 
• other companies controlled by and/or connected to the Data Controller that are part of “Merlin”, including those located abroad, in the EU or outside the EU. The level of data protection in non-EU countries may differ from the level of protection within the European Union. In the case in question, said transfer is made on the basis of Article 49(b) of the GDPR; 
• subjects to whom such communication must be made in order to fulfil or require the fulfilment of specific obligations provided for by laws, regulations and/or national and EU legislation. 

STORAGE TIMES  

With reference to the above-mentioned purposes, the data will be processed by the Data Controller for the entire duration of the management of the customer care file, as set out in this information notice. 
Subsequently, only the data required by current accounting, tax, civil and procedural law will be stored for the time stipulated therein. It should be noted that the Data referred to in the paragraph "Purposes and legal basis of the processing" in point 3, relating to your customer care file (name, surname, address and e-mail and telephone contact) will be retained by the Data Controller for 5 (five) years for the purposes of defence in court for any claims for damages. 

This section contains information on data processing involving professionals, business partners and suppliers of Gardaland.  

TYPE OF DATA PROCESSED 

Gardaland processes personal data already collected, directly supplied or which will be acquired during the pre-contractual and contractual relationship, such as, by way of example, the name and surname of the professional or of the legal representative/attorney/contact of the partner company, tax code and/or VAT number, residence address, e-mail address and/or certified email, telephone number, as well as bank and payment references. 

PURPOSE OF PROCESSING AND LEGAL BASIS 

All data communicated by the data subjects, or that Gardaland acquires from third parties, will be used exclusively for the purpose of carrying out negotiations, tenders and phases of tenders, or for the management of contractual and pre-contractual relations with the data subjects, for the fulfilment of obligations of supranational, national, regional and statutory regulations that govern Gardaland's activity, to conduct audits, due diligence, or other duties relating to the internal control system, and, if necessary, to safeguard interests connected to the performance of relations in any litigation phase, pursuant to Article 6 (1)(b) and (f) of the GDPR.  

The personal data requested are indispensable for the completion and performance of the contract and are in part required by law, and in part optional. Consequently, failure to provide such data would make it impossible to perform the obligations under the contract. The processing of data for these purposes does not require the consent of the data subject. 

PROCESSING METHODS AND INFORMATION SECURITY 

The personal data collected/conferred are processed lawfully, fairly and transparently towards the data subject. 

The processing will be carried out using manual and/or computerised and/or telematic tools, with organisation and processing logics strictly related to the purposes and in any case in such a way as to guarantee the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures laid down by the provisions in force. 

DATA RECIPIENTS AND TRANSFER 

The company may disclose data subjects' data for the above-mentioned purposes to the following categories of subjects:  

• employees and contractors of the Data Controller, authorised to processing, within the scope of their tasks relating to business relations with the Supplier; 
• third parties (natural or legal persons) carrying out audit services of regulatory compliance and certified management systems of Gardaland; 
• banking institutions, acting as autonomous data controllers, for the management of collections and payments arising from the performance of the contract between the Data Controller and the Supplier;  
• public bodies and/or judicial and/or supervisory authorities, in case of their request, as autonomous data controllers, by virtue of regulatory obligations; 
• companies belonging to the Merlin group, including those located abroad in the EU or outside the EU. The level of data protection in non-EU countries may differ from the level of protection within the European Union. In the case in question, said transfer is made on the basis of Article 49(b) of the GDPR;
• transferees of a company or business unit, companies resulting from any mergers, demergers or other transformations of the company.  

Depending on the circumstances, these recipients act as data controllers, data processors and sub-processors. 

STORAGE TIMES  

All data held by Gardaland are stored only for the period necessary for the purposes of collection and the applicable regulatory obligations.  

Once the purposes of the processing have been fulfilled, personal data are, as a rule, deleted or anonymised, also by means of an archive elimination procedure; data may only be stored for a longer period of time where required by law, contractual necessity or with the consent of the data subject. As far as contractual services are concerned, the terms are those of the law. 

The data shall be stored even after the termination of the contractual relationship, for the period necessary for the fulfilment of the related obligations and for the fulfilment of legal obligations for a maximum period of 10 years from the termination of the relationship or, if later, from any communication of update or rectification of such data that should directly reach us from the data subjects. 

WHISTLEBLOWING POLICY

Gardaland S.r.l., in compliance with its obligations under Legislative Decree 24/2023, has established a procedure aimed at preventing and combating crimes or other behaviours that violate the law or its internal protocols, allowing individuals to make reports in accordance with the Whistleblowing Policy, accessible on its website in the section (https://www.gardaland.it/en/safety-privacy/compliance/). 

As Data Controller, Gardaland S.r.l. hereby wishes to disclose the methods by which it collects and processes the information and personal data provided under the Whistleblowing Procedure.

DATA SUBJECTS 

The data subjects involved in the processing of personal data by Gardaland for the purposes and processing activities referred to in the following sections are the whistleblowers (in case the reports are not completely anonymous and the identity of the whistleblower can be determined) and the reported persons, namely:  

• employees or workers with a permanent or temporary contract;
• contractors;
• subcontractors;
• volunteers;
• trainees;
• agency workers;
• consultants and self-employed workers;
• shareholders and persons entrusted with administrative, management, supervisory or representative functions.

TYPES OF DATA PROCESSED

The personal data processed during the Whistleblowing Procedure and the subsequent investigation phase will include the identification and contact details of both the whistleblower and the subject of the report, information about the alleged conduct, and any other data submitted based on the nature of the report or its relevance to the reported incident. In all cases, only personal data that are strictly and objectively necessary to determine the validity of the report and to proceed with its resolution will be processed. Should personal data be collected, even accidentally, that are clearly not necessary for the handling of the report, such data will be deleted immediately.

In case the dedicated Safecall platform on the Gardaland website is used to make a report (www.safecall.co.uk/report), the fields marked with an asterisk (*) within the reporting forms are mandatory, as the collection of such data is essential for the processing of the report. With regard to the provision of further, non-compulsory data, the provision of such data is optional on the part of the data subject and failure to provide them will not affect the processing of the report submitted.

PURPOSE

The purposes of the processing of personal data during the Whistleblowing Procedure are as follows:

1. to initiate and monitor the Whistleblowing Procedure, which includes the verification of reported facts, the initiation of investigations, the formulation of responses and the implementation of any corrective or supportive measures for whistleblowers, as well as the resolution of the whistleblowing reports and the preparation of related reports.
2. to comply with legal obligations established by national and/or EU laws and regulations, including those set out in Legislative Decree No. 24/2023 (the "Whistleblowing Decree"), which implements Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law and establishes provisions for the protection of persons who report breaches of national law;
3. to assert or defend Gardaland's legal rights in legal proceedings and to ensure the effective management of the company, also through the implementation of internal policies and procedures.

Please note that personal data will not be subject to any fully automated decision-making process, including profiling.

LEGAL BASIS

Personal data are collected according to different legal bases applicable to each processing purpose: 

• compliance with the legal obligations incumbent on the Data Controller (Article 6, par. 1, (c) of GDPR) for the purposes described in points 1 and 2 of the “Purpose” section. This includes the management of reports, the fulfilment of legal obligations relating to the Whistleblowing Procedure and the provision of feedback on reports received within the limits set in the aforementioned Whistleblowing Decree. The processing of personal data for these purposes is considered mandatory to enable the Data Controller to comply with the relevant legislation;
• legitimate interest of the Data Controller (Article 6, par. 1, (f) GDPR) for the purposes indicated by point 3 of the paragraph “Purpose”.

Under no circumstances may the reports be used by Gardaland to discriminate or retaliate against the data subjects.

DATA RECIPIENTS AND TRANSFER

In order to pursue the above-mentioned purposes, personal data may be shared with other companies of the Group (parent companies, subsidiaries and/or associated companies) to which Gardaland belongs. However, such disclosure will only be made to persons entrusted with the management of reports, as specified in the relevant policy, or to third parties (service providers) who will process them as (external) data processors in accordance with Article 28 of the GDPR, as well as to competent bodies and/or authorities, including for the purpose of conducting investigations and/or subsequent legal proceedings resulting from the reviews carried out under the Whistleblowing Procedure.

In particular, reports and the information and personal data contained therein will be processed by a specially appointed committee consisting of the CEO of the company, the HR Director and a member of the Supervisory Board. The data may only be processed by employees of the company departments responsible for pursuing the above purposes, who have been authorised by the Data Controller to do so and who have received adequate operating instructions, in particular regarding security measures, to ensure the confidentiality and security of the personal data.

Within the scope of the aforementioned purposes and in relation to the location, in particular of the servers, of Group companies or third parties, the data may also be transferred outside the EU, in compliance with the adequacy decisions (Article 45 GDPR), or in compliance with the appropriate guarantees of the EU Commission (Article 46 GDPR), or in any case in compliance with what is otherwise provided for by the provisions in force (Article 49 GDPR). To obtain copies of these guarantees or the place where they have been made available, please write to protezione.dati@gardaland.it.

PROCESSING METHODS AND INFORMATION SECURITY

Personal data will be processed using manual or computerised means that are appropriate to ensure security and confidentiality and to prevent unauthorised access, dissemination, modification or theft of data, by adopting appropriate technical, physical and organisational security measures in accordance with the above-mentioned laws and related confidentiality obligations, and in any case for the purposes and in the manners described in this policy.

In particular, the computerised systems used for the Whistleblowing Procedure, including the Safecall platform, will be configured to prevent unauthorised access. The Safecall system provider will be appointed as an external data processor and the entire processing activity will be subject to a Data Protection Impact Assessment (DPIA).

The data may only be processed by employees of the company departments responsible for pursuing the above purposes and authorised by the Data Controller. They will receive appropriate operational instructions to ensure the complete confidentiality of the personal data collected.

Personal data, in particular the identity of the data subject or any other information revealing the identity of the whistleblower in the case of anonymous reports, will be kept strictly confidential and will not be disclosed to third parties other than those responsible for managing the Whistleblowing Procedure as indicated in the previous paragraph. In particular, reports can be submitted anonymously through the Safecall platform. If a whistleblower chooses this option, Gardaland will ensure anonymity, and the whistleblower's identity may only be disclosed with their consent or as permitted by law.

STORAGE TIMES

Personal data provided through the Whistleblowing Procedure will be processed for the time strictly necessary to achieve the purposes stated above. In any case, personal data will be retained for 5 years from the date of notification of the final outcome of the Whistleblowing Procedure, unless a longer retention period is required for any litigation, requests by competent authorities or to comply with applicable law.

DATA SUBJECTS’ RIGHTS 

In relation to the processing of their personal data, the data subject has the opportunity to exercise certain rights (Articles 15-22 of the GDPR).   

Without prejudice to the foregoing, according to Article 2-undecies of the Privacy Code and Article 12 of the Whistleblowing Decree, the rights mentioned above (Articles 15-22 of the GDPR) may not be exercised if doing so could result in an actual and concrete prejudice to the confidentiality of the identity of the person reporting a breach they have learned about through their employment relationship with Gardaland or due to the functions they perform for the latter. Furthermore, if there is a concrete risk that the disclosure of the requested information by exercising such rights could jeopardize ongoing investigations or, in general, the proper conduct of the Whistleblowing Procedure, the feedback to the data subject will only be provided once this risk has ceased to exist.

In any case, the reported person will not have access to the identity of the whistleblower, but only to the content of the report.

For the exercise of these rights, as well as for any request regarding data protection, the data subject may send a registered letter with return receipt to Gardaland S.r.l., Via Derna 4, 37014 Castelnuovo del Garda (VR), or alternatively contact Gardaland's Data Protection Officer by e-mail at: protezione.dati@gardaland.it.