This is to inform you about the processing of your personal data in relation to the services provided by the Hotels of Gardaland S.r.l. (Gardaland Resort Hotel, Gardaland Magic Hotel, Gardaland Adventure Hotel). The processing is carried out in accordance with the criteria set forth in the European Data Protection Regulation, EU Reg. 2016/679 ("GDPR"). According to the aforementioned legislation, the processing will be based on the principles of fairness, lawfulness and transparency and the protection of your confidentiality and rights.
DATA CONTROLLER AND CONTACT DETAILS
The Data Controller with regard to the services provided by the Hotels is the company Gardaland S.r.l. ("Controller" or "Gardaland"), VAT No. 05431170967, in the person of the current legal representative, with registered office in Via Derna 4, 37014 Castelnuovo del Garda (VR), acting in the name and on behalf of the company Gardaland Holidays S.r.l..
The contact for privacy issues is the e-mail address: email@example.com. Gardaland has also appointed its own Data Protection Officer (DPO) who can also be contacted at the email address firstname.lastname@example.org.
The data subjects involved in the processing of personal data by Gardaland for the purposes and processing activities referred to in the following sections are the following:
TYPE OF DATA PROCESSED
In order to make use of the services provided by the Hotels, the Data Controller shall collect the following mandatory data: first name, surname, gender, I.C./passport number, residential address, nationality, e-mail address, telephone number and payment details.
The provision of the above-mentioned Data is mandatory. Failure to provide the Data, even partially, will result in the Data Controller being unable to establish and/or continue the relationship with the Guest.
PURPOSES AND LEGAL BASIS OF THE PROCESSING
Personal data are collected for the following purposes and processed according to the specific legal bases:
enable the user to browse within the Website and create the relevant access profile to manage and view bookings made; falling under the legal basis provided for in Article 6(1)(b) GDPR;
execute pre-contractual measures (such as, for example, the request for information or quote), falling under the legal basis provided for in Article 6(1)(b) GDPR. In the case of the provision of Special Data, the legal basis for the processing is also the consent of the data subject;
management of the contractual relationship, provision of the requested service, acquiring and confirming the booking of accommodation and ancillary services, performing the web check-in and pre-check-in service prior to the customer's arrival at the facility; falling under the legal basis provided for in Article 6(1)(b) GDPR. In the case of the provision of Special Data, the legal basis for the processing is also the consent of the data subject;
organise meetings, conferences and private events falling under the legal basis of Article 6(1)(b) GDPR;
comply with the obligation provided for by the “Testo unico delle leggi di pubblica sicurezza (Italian Consolidated Law on Public Security)” (Article 109 Royal Decree 18.6.1931 no. 773), which requires the data controller to communicate to the Police Headquarters, for public security purposes, the personal details of the guests in accordance with the procedures established by the Ministry of the Interior (Decree of 7 January 2013); falling under the legal basis provided for in Article 6(1)(c) GDPR;
administrative purposes and for the fulfilment of legal obligations such as accounting, tax, or to comply with requests from judicial authorities falling under the legal basis provided for in Article 6(1)(c) GDPR;
periodic sending, by e-mail, of newsletters and commercial communications subject to the granting of specific consent (marketing purposes); falling under the legal basis provided for in Article 6(1)(a) GDPR;
allow the Data Controller to carry out surveys aimed at improving the quality of the service provided (“Customer Satisfaction”) on the basis of the legitimate interest of the Controller to verify the quality of the contractual service rendered to the Customer; falling within the legal basis provided for in Article 6(1)(f) GDPR;
for the purpose of protecting persons, property and assets of the company through a video surveillance system of certain areas of the facility, identifiable by the presence of appropriate signs, in order to protect persons and assets against any aggression, theft, robbery, damage, vandalism and for the purpose of fire prevention and work safety; falling within the legal basis provided for in Article 6(1)(f) GDPR;
the establishment, exercise or defence of a right in all competent forums, including out-of-court procedures, falling under the legal basis provided for in Article 6(1)(f) GDPR.
Furthermore, please note that in the event that the Data Subject transmits, spontaneously and/or during his/her stay, personal data falling into the special categories pursuant to Article 9 GDPR (i.e. personal data revealing " racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation"), the processing of such data by the Data Controller will have as its legal basis the consent pursuant to Articles 6(1)(a) and (7) GDPR.
Finally, it should be noted that in order to better manage your file, where necessary, further personal data may be requested by the Data Controller, which will be processed in compliance with the privacy regulations and the indications contained in this information notice.
PROCESSING METHODS AND INFORMATION SECURITY
The processing of the Data is carried out by the Data Controller by means of collection, recording, organisation, storage, consultation, processing, modification, comparison, use, interconnection, selection, extraction, blocking, communication, deletion and destruction of the Data.
The Data are processed by means of electronic or automated, computerised, telematic and/or paper-based tools and in any case in the manner strictly necessary to fulfil the above-mentioned purposes.
Data may be collected by the Data Controller, in addition to the form in question, through its postal and telephone addresses.
The Data are recorded and stored by the Data Controller in computer and/or paper archives, as well as kept and controlled in such a way as to guarantee their security and confidentiality, in compliance with the aforementioned legislation on the protection of personal data.
Their processing is carried out by means of employees and contractors of the Data Controller, expressly identified and authorised for the processing (pursuant to Article 29 GDPR), as well as by persons external to the company organisation of the Data Controller, appointed for this purpose, if necessary, as Data Processors (pursuant to Article 28 GDPR).
The Data are not subject to dissemination, nor to any fully automated decision-making process, including profiling.
The Data may be disclosed, to the extent strictly pertinent to the obligations, tasks and purposes set out above and in compliance with the applicable legislation, to the following categories of subjects:
a. external natural and/or legal persons authorised to process the data indicated in point 3 above (e.g.: suppliers of IT systems, consultants, professional firms, insurance companies, etc.);
b. other companies controlled by and/or connected to the Data Controller that are part of “Merlin”;
c. subjects to whom such communication must be made in order to fulfil or require the fulfilment of specific obligations provided for by laws, regulations and/or national and EU legislation.
TRANSFER OF DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANISATIONS
As part of the management of the relationship with the Data Controller, the Data may be transferred to countries outside the EU and/or to international organisations, such as other companies and entities belonging to the Merlin group. In such cases, the Data Controller will take all appropriate security, protection and confidentiality measures aimed at protecting the Data, in compliance with current privacy legislation.
Specifically, within the scope of the aforementioned purposes and in relation to the location, in particular of the servers, of Group companies or third parties, the data may also be transferred outside the EU, in compliance with the adequacy decisions (Article 45 GDPR), or in compliance with the appropriate guarantees of the EU Commission (Article 46 GDPR), or in any case in compliance with what is otherwise provided for by the provisions in force (Article 49 GDPR). To obtain copies of these guarantees or the place where they have been made available, please write to email@example.com.
Personal data collected will only be stored for as long as it is strictly necessary to fulfil the purposes for which they are processed or until the expiry of any statutory storage, processing and storage periods.
data collected for Contractual Purposes will be stored for the duration of the Contract and for a further maximum period of 10 years after its termination;
data collected for Legal Purposes will be stored for a period equal to the duration prescribed by law for each type of data processed;
the data collected for Legitimate Interest Purposes will be retained within Gardaland's infrastructure for a maximum period of 10 years from the date of collection in the case of processing aimed at enforcing and defending Gardaland's rights in any litigation while, with respect to processing aimed at carrying out activities functional to transfers of the company or company branch, acquisitions, mergers, demergers or other transformations and for the execution of such operations, the storage periods listed above will apply with respect to the main processing;
data collected for Marketing Purposes will be stored for a period of 2 years after their collection, unless consent is revoked by the data subject.
DATA SUBJECTS’ RIGHTS
In relation to the processing of his or her personal data, the data subject has the opportunity to exercise certain rights (Articles 15-22 of the GDPR).
Specifically, the GDPR confers the right to access, rectify or erase personal data, restrict or oppose processing, and portability.
Where processing is based on consent, the data subject has the right to withdraw consent to the processing of his or her personal data at any time, without prejudice to the lawfulness of the processing based on the consent given before such withdrawal.
The data subject also has the right to lodge a complaint with the supervisory authority, which is the Italian Data Protection Authority, based in Rome at Piazza Venezia 11, or take the matter to the competent judicial authority.
For the exercise of these rights, as well as for any request regarding data protection, the data subject may send a registered letter with return receipt to Gardaland S.r.l., Via Derna 4, 37014 Castelnuovo del Garda (VR), or alternatively contact Gardaland's Data Protection Officer by e-mail at: firstname.lastname@example.org.