Skip to main content

Privacy Statement

Merlin Attractions Italy S.r.l  ("we", "us", "our"), we may collect and use personal data about consumers who visit our attractions or hotels, or browse our websites "Website(s)"). Personal data is any information that can used to identify you as an individual. The protection of your personal data is very important to us, and we understand our responsibilities to handle your personal data with care, to keep it secure and to comply with legal requirements.

The purpose of this privacy policy ("Policy") is to provide a clear explanation of when, why and how we collect and use personal data. We have designed it to be as user friendly as possible, and have labelled sections to make it easy for you to find the information that is most relevant to you. 

Please read this Policy carefully. It provides important information about how we use personal data and explains your legal rights. This Policy is not intended to override the terms of any contract that you have with us (for example, Wi-Fi terms and conditions or annual pass terms) or any rights you might have available under applicable data protection laws.

We will make changes to this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will make sure that you are aware of any significant changes by sending an email message to the email address you most recently provided to us or by posting a notice on each relevant Website(s) so that you are aware of the impact to the data processing activities before you continue to engage. We encourage you to regularly check back and review this policy so that you will always know what information we collect, how we use it, and who we share it with.


  1. WHO is responsible for looking after your personal data?
  2. WHAT personal data do we collect?
  3. WHEN do we collect your personal data?
  4. What PURPOSES do we USE your personal data for and which legal grounds do we process them on?
  5. Who do we SHARE your personal data with?
  6. International Transfers
  7. How do we process your personal data?
  8. How long do we keep your personal data?
  9. What are your rights?
  10. Contact and complaints




1. WHO is responsible for looking after your personal data?


Merlin Attractions Italy S.r.l  ("Merlin Attractions Italy S.r.l") is an Italian based entertainment company, with a registered office at Via Derna, 4 - 37014 CASTELNUOVO DEL GARDA (Verona), ITALY. It is part of the Merlin Entertainment group which operates over 100 attractions, and over 20 hotels and holiday villages in 25 countries - A list of our attractions and a note of the companies that make up the group is available at ("Merlin Group").  Our business is about creating unique, memorable and rewarding visitor experiences.

As Merlin Attractions Italy S.r.l is the company which was originally responsible for collecting information about you, it will be the Data Controller and can be contacted using the details set out section 10. You should be aware that although Merlin Attractions Italy S.r.l  is principally responsible for looking after your personal data, information is likely to be held in databases which can be accessed by other Merlin Group companies.


2. WHAT personal data do we collect?

We process personal data of potential customers, historic customers and current customers and attraction visitors, who may be also minors.

In relation to such categories of data subjects, we collect the following data:

  • Information that you provide by filling in forms on our Website(s). This includes information provided at the time of registering to use our Website(s), subscribing to our services, including booking of attractions and hotels, purchase of tickets, posting material or requesting further services subject to your contract with Merlin Attractions Italy S.r.l ("Services"). We may also ask you for information when you report a problem with our Website(s).
  • If you contact us with any concerns or issues, we may keep a record of that correspondence.
  • Information collected through the completion of surveys, such as your experience at one of our attractions.
  • Details of transactions you carry out through our Website(s) and of the fulfilment of your bookings including your credit/debit card details.
  • Details of your visits to our Website(s) including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.
  • Your name, address, telephone number and/or email address in order to contact you with details of your booking or in the unlikely event that we need to contact you urgently about your booking.

This includes the collection of contact details such as your name, address, date of birth, telephone number and email address, health data, such as information on your or your family members' disability (if and when notified to us and subject to your prior express consent), minors' data, such as name, age and address (if and when notified to us by a parent), engagement details including your purchase history and attraction visit history, your marketing preferences including interests / marketing list assignments, record of permissions or marketing objections, website data, device data including IP addresses and details about your browsing history, browser type, and session frequency and cookies - please see our separate cookie policy for further details on cookies.


3. WHEN do we collect your personal data?


  • We will collect information from you directly when you register to our Website(s), when you subscribe to our Services, when you sign up for a newsletter from an attraction website, when you purchase a ticket or pass, where you make a phone booking, where you sign up for Wi-Fi at one of our attractions, when you book to stay at one of our hotels, where you complete a survey, or where you contact us with questions or suggestions.
  • To the extent permitted by law, we may also monitor and record telephone calls in order to record your opt-in to receive marketing content (where required, see section 4(f) for further details) when you call us directly.
  • Information about you, your family members and, in particular, your child(ren) may be provided to us indirectly by a family member or another third person when they apply for a family ticket or where a parent enters into a competition on behalf of its child.


We will not knowingly collect any personal data about children for the purpose of marketing without making it clear that such information should only be provided with parental consent, if this is required by applicable laws - so Merlin Attractions Italy S.r.l  will only use the personal data of children as far as is permitted by law where the required parental or guardian consent has been obtained.


4. What PURPOSES do we USE your personal data for and which legal grounds do we process them on?

4.1. We will use your personal data to:

  1. allow you to register on the Website(s);
  2. provide you with the Services , such as enable you to book the attractions and hotels, complete the relevant payments for tickets to our attractions;
  3. provide you with customer support and to respond to inquiries;
  4. comply with applicable laws or legal process and/or respond to requests from public and government authorities; (the purposes from letters a) to d) above are jointly defined as the "Mandatory Purposes");
  5. carry out activities useful for the transfers of business and business branches, takeovers, mergers, demergers or other transformations and for the execution of such transactions ("Legitimate Interest Purpose");
  6. with your prior consent,
    1. carry out market searches to improve the experiences at our attractions;
    2. send newsletters and marketing communications by any means (including e-mail, SMS, phone calls or direct mail), related to our products and services (e.g. invitation at special events, promotion of special offers, promotion of new products and services);
  • send the same types of communications of point ii. above in relation to products and service of other companies of the Merlin Group;
  1. profile your preferences and needs in order to send customized marketing communications on products or services that you request from us or which we feel may interest you,

(the purposes of this letter f) are jointly defined as the "Marketing Purposes");

  1. with your prior express consent, process health data concerning your or your family members' disabilities so as to ensure the access and performance of our Services ("Disabilities Related Purposes").


4.2. We have to establish a legal ground to use your personal data, so we will make sure that we only use your personal data for the purposes set out in this Section 4 and in Appendix 1 where we are satisfied that:

  1. the Mandatory Purposes are compulsory as necessary for the registration to the Website(s) and the provision of the requested services and therefore if you don't want your personal data to be used for such purposes, you may not register to the Website(s) and the services could not be provided;
  2. the Legitimate Interest Purpose is performed in accordance with article 24, paragraph 1, letter d) of the Privacy Code up to the 24 May 2018, while from the 25 May 2018 it is based on the legitimate interest of Merlin Attractions Italy S.r.l and of its counterparties to perform such economic activities which is adequately balanced with your interest since the data processing is performed within the limits strictly necessary to perform such economic activities. This data processing activity is not mandatory and you can object at any time through the modalities as per Section 10 below;
  3. the Marketing Purposes is discretionary, but the lack of provision of the consent to their performance would determine the impossibility for Merlin Attractions Italy S.r.l to provide you with marketing communications based on your interests and needs. You can withdraw your consent to the processing your personal data for the Marketing Purposes at any time by sending a communication to the email address in Section 10 below; and
  4. the Disabilities Related Purposes is discretionary, but the lack of provision of the consent to their performance would determine the impossibility for Merlin Attractions Italy S.r.l to provide you with its Services. You can withdraw your consent to the processing your personal data for the Disabilities Related Purposes at any time by sending a communication to the email address in Section 10 below

PLEASE NOTE: If we previously told you in an older version of the privacy policy that we were relying on consent as the basis of our processing activities, going forward we will not be relying on that legal basis unless we have said that expressly in this Policy.


5.Who do we SHARE your personal data with?

As flagged above in section 1, we share data with other Merlin Group companies for marketing and profiling purposes, as well as non-marketing purposes as outlined in section 4.

We also share the data with third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal data, and include:

  • service providers, who help manage our IT and back office systems, and assist with our Customer Relationship Management activities, Accesso e Facebook.
  • our regulators, which may include the Italian Data Protection Authority, as well as other regulators and law enforcement agencies in the E.U. and around the world,
  • solicitors and other professional services firms (including our auditors).

Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser.

Merlin Attractions Italy S.r.l has appointed, among others, as data processor Best Union, Diennea, Lakeweb, Survey Monkey, Olojin, Travelclick, Sale Cycle, Ananai, Promogrifo, Idea Ward, Medianet, Zucchetti, Peschiera Viaggi, Flixbus, Trenord, Parco Aquatico Cavour, Parco Natura Viva, Parco Giardino Sigurta, Alpitour, Eden Viaggi, Veratour, Gruppo Sinergia SRL, Poste Italiane S.P.A. and TUAT. A complete list of the data processors may be requested at the email address as per Section 10 below.


6. International Transfers

Some entities in the Merlin Group, with whom we may share your data, and our service providers who have access to your personal data, are located outside the European Union. We may also share your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests, in particular, we will either:

  • only transfer your personal data to countries which are recognised as providing an adequate level of legal protection in accordance with Article 45 of the GDPR; or
  • ensure that transfers outside the European Union are subject to an appropriate legal safeguard - for example, the EU Model Clauses pursuant to Article 46(2)(c) of the GDPR and/or the EU - U.S. Privacy Shield for the protection of personal data transferred to the US (for further details, please see

You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 10 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).


7. How do we process your personal data?

Your personal data are processed by electronic and non-electronic means for the time strictly necessary to achieve the objectives for which that information has been collected. Merlin Attractions Italy S.r.l implement appropriate technical and organizational measures so as to prevent losses and illegal or incorrect use of data, or non-authorized access. Merlin Attractions Italy S.r.l take reasonable steps to maintain the security of the personal data that we collect, including limiting the number of people who have physical access to our database servers, as well as installing electronic security systems that guard against unauthorized access.


8. How long do we keep your personal data?

We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In particular:

  • Data collected for the Mandatory Purposes are retained for the period of existence of your account on the Website(s) or for the period necessary to the provision of the Services, plus a maximum of 10 years from the termination of the account or the termination of the Services;
  • Data collected for the purpose as Legitimate Interest Purpose are retained for a period of necessary for the performance of the required activities and for a maximum of 10 years;
  • Data collected for the Marketing Purposes are retained for a period of 2 years);
  • Data collected for Disabilities Related Purposes for a period of necessary for the performance of the Services and for a maximum of 10 years .

At the end of the retention period your personal data will be either deleted or anonymized and aggregated.


9. What are your rights?

You have a number of rights in relation to your personal data. In summary, you have the right to request: access to your data; rectification of any mistakes in our files; erasure of records where no longer required; restriction on the processing of your data; objection to the processing of your data; data portability and various information in relation to any automated decision making and profiling or the basis for international transfers.  You also have the right to complain to your supervisory authority (further details of which are set out in Section 10 below).  

These are defined in more detail as follows:




By sending an email to, you can ask us to:

  • confirm whether we are processing your personal data;

  • give you a copy of that data;

  • provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out automated decision making or profiling, to the extent that information has not already been provided to you in this Policy.



By sending an email to, you can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.

Erasure / Right to be Forgotten

By visiting this page, you can ask us to erase your personal data, but only where:

  • it is no longer needed for the purposes for which it was collected; or

  • you have withdrawn your consent (where the data processing was based on consent); or

  • it follows a successful right to object (see 'Objection' below); or

  • it has been processed unlawfully; or

  • it is necessary to comply with a legal obligation which Gardaland S.r.l is subject to.

We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims, in relation to the freedom of expression or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In the context of marketing, please note that we will maintain a suppression list if you have opted out from receiving marketing content to ensure that you do not receive any further communications.


By sending an email to, you can ask us to restrict (i.e. keep but not use) your personal data, but only where:

  • its accuracy is contested (see 'Rectification' below), to allow us to verify its accuracy; or

  • the processing is unlawful, but you do not want it erased; or

  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or

  • you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal data following a request for restriction, where:

  • we have your consent; or

  • to establish, exercise or defend legal claims; or

  • to protect the rights of another natural or legal person.


By sending an email to, you can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where: the processing is based on your consent or the performance of a contract with you; and the processing is carried out by automated means.


By sending an email to, you can object to any processing of your personal data which has our 'Legitimate Interests' as its legal basis (see Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our Legitimate Interests. Once you have objected, we have an opportunity to demonstrate that we have compelling Legitimate Interests which override your rights, however this does not apply as far as the objections refers to the use of personal data for direct marketing purposes.

You can exercise the rights mentioned above through the instructions set out in Section 10 below. Please note the following if you do wish to exercise these rights:

  • We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
  • We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances.
  • We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
  • Local laws, including in Italy, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.


10. Contact and complaints

The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following way:


If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time. In Italy, the supervisory authority for data protection is the Garante per la protezione dei dati personali ( 

We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time. 




Type of information collected

The basis on which we use the information


Provide the Services

  • Contact Details and Engagement Details
  • Performance of a contract


Provide client care and support

  • Contact Details, Engagement Details and Device Data
  • Performance of a contract


  • Contact Details, Marketing Preferences
  • Consent (and in exceptional cases, Legitimate Interest)

Comply with legal and regulatory obligations

  • Contact Details and Engagement Details
  •  Legal obligation





Consumer: means an individual who may, who has, or who is purchasing tickets for an Attraction or using our websites, goods or services, or participating in a prize draw/competition or experience.

Data Controller: means a natural or legal person which determines the means and purposes of processing of personal data.

Data Subject: means an individual whom the personal data is about.  

EEA: means the European Economic Area.

GDPR: means the General Data Protection Regulation, which comes into force on 25 May 2018 and replaces the previous Data Protection Directive 95/46/EC.

Supervisory Authority: the Italian Data Protection Authority (Garante per la protezione dei dati personali) regulates the processing of personal data by all organisations within the Italian territory.

Legitimate Interests: this is a ground which can be used by organisations as a lawful basis of processing, for example where personal data is used in ways that could reasonably be expected, or there is a compelling reason for the processing.

Member States: means those countries which are part of the European Union.

Privacy Shield: means a framework which has been adopted to protect the rights of those individuals whose data has been transferred to the US.

Profiling: means to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an entertainment context, such as how likely you are to attend a certain event that we host.

Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership. 

Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.