Privacy policy

1. Who is responsible for my data?

The companies responsible for processing your personal data are Leisure Parks, S.A. the company responsible for operating Aquopolis Torrevieja and Parques Reunidos Servicios Centrales, S.A., with registered office at Calle Federico Mompou 5, Parque Empresarial "Las Tablas", Edificio 1 - Planta 3ª, 28050, Madrid, Spain each acting individually as controllers and together as joint controllers (the "Controllers").

If you have any questions about the processing of your personal data or if you would like to ask for relevant parts of the Joint Controllers agreement, please contact the Data Protection Officer (DPO) by post at Calle Federico Mompou 5, Parque Empresarial "Las Tablas", Edificio 1 - Planta 3ª, 28050, Madrid, Spain or by e-mail at dpo@grpr.com.

 

2. For what purpose and on what basis do we process your personal data?

The Controllers will process your personal data for the purposes set out below, and consistently with the purpose of the channel through which you may have provided your personal data:

I. Managing your contractual relationship arising from your purchase or booking of products and services

Purpose description: Your personal data will be processed to manage the purchase or booking of the products and services of the Controllers, to process your payments, and to email you a confirmation of and a receipt for your purchase, together with any relevant documentation for your visit and access to the park. 

If, during the purchase or booking process, you claim any special promotions that require you to fulfl certain conditions (e.g. large family, discount code for certain groups, etc.), please note that we may ask you to produce documentary evidence of your eligibility (e.g. large family card, official document showing your membership to a group, ID card, passport, driving licence, etc.). No information will be recorded or stored by the Controllers.

Should unforeseen events or circumstances arise that may impact on the product or service purchased by you (inclement weather, security or public health concerns, etc.), the Controllers may contact you by electronic means (e-mail, SMS, telephone calls) to inform you of the circumstances that may affect your visit.

Type of personal data processed: your first name, surname, email address, and telephone number; details of your purchase or booking; proof of payment and payment details, your date of birth to ensure that you are over fourteen (14) years of age. Please note that pursuant to European data protection regulations, if you are under fourteen (14) we will be required to obtain the consent from your parents or guardians. The Controllers may also process information about your country to ensure that any communications are sent to you in your chosen language.

Lawful basis: our lawful basis for processing your personal data are the terms and conditions applicable to the purchase of your product or service. Without such personal data, the Controllers would be unable to process your purchase or booking.

II. Customer care

Purpose description: If you request information about our products and services or send us any questions, suggestions, complaints or claims or would like to report an incident through any of the channels made available by the Controllers (e.g. a specific form, telephone or email) your personal data will be processed to deal with your request.

Type of personal data processed: your first name, surname, email address, and telephone number; details of your purchase or booking; proof of payment and payment details; your date of birth to ensure that you are over fourteen (14) years of age. Please note that pursuant to European data protection regulations, if you are under fourteen (14) we will need to obtain the consent from your parents or guardians. The Controllers may also process information about your country to ensure that any communications are sent to you in your chosen language and, generally, any other information that you may have voluntarily supplied in your request.

Lawful basis: your data will be processed for implementing, at your request, certain pre-contractual steps or pursuant to the terms and conditions of your agreement for the purchase or booking of products or services. Without the above personal data, your request may not be processed.

III. Surveys

Purpose description: If you purchase any of our products or services, the Controllers may send you surveys electronically (e.g. e-mail, SMS, phone, etc.). This is a valuable tool that enables us to find out our customers' degree of satisfaction whilst allowing them the opportunity to make suggestions. Your opinion will also enable the Controllers to improve their processes, and their range of products and services.

Type of personal data processed: your email, telephone, information related to your purchase or booking, your country (to ensure that the survey is sent in your chosen language) and any other non-personal information you provide on the surveys you chose to respond to.

Lawful basis: this processing is necessary for the satisfaction of legitimate interests pursued by the Controllers as it will allow them to know the opinion of their customers regarding the products and services contracted and their possible suggestions in this regard, which is necessary because it will help them to improve their various processes, products and services so that they meet the expectations of their customers (for example, improve attractions, facilities of parks and leisure centers, customer service processes, etc.). The Controllers understand that the rights and freedoms of natural persons are not impaired and that there is a balance between the interests of both parties because this processing is carried out on an ad hoc basis, only strictly necessary personal data of a non-sensitive nature of natural persons over fourteen (14) years of age is processed, and it is not used for further purposes related to profiling for direct marketing. In addition, it is understood that customers have a reasonable expectation regarding the performance of this processing by the Controllers due to the contractual relationship that is maintained as a result of the purchase of products and services, the specific data protection information provided at the time of purchase and the frequency with which this type of processing is performed within a standard and usual practice of the industry of companies providing services.

In any case, we remind you that, if you have any questions about the processing of your personal data, need more information about the weighting of interests carried out by the Controllers to carry out this processing or exercise among others, your right to object, you can send your request to the DPO through any of the means of contact provided in this privacy policy.

IV. Sending you information (including personalized information) about the products and services of the Parques Reunidos Group

Purpose description: Only if you expressly gives us your permission to do so by ticking the relevant box on any of the forms available on this website or by clicking on the "send" button on the newsletter form, your personal data will be processed by the Controllers to send you commercial information by any means, including electronically (e-mail, SMS, phone), about the European companies of the Parques Reunidos Group (the list of companies is included below in this Privacy Policy) that may include newsletters, discounts, promotions, relevant information or commercial information about the Group's activities, events, products and services related to the leisure and hospitality industries, including personalised information subject to prior profiling and analysis of your preferences via automated decisions for relevance. This personalisation will be based on profiling using automated decisions made in accordance with the configuration and filtering of the following parameters on our email marketing platform: demographic criteria based on your postcode and country, self-sourced information related to your purchase history, the type of products and services purchased (tickets, season passes or park passes, experiences, parking, food and drinks) and inferred socio-economic parameters based on your age, the type of product or service you purchase and the analysis of your behaviour when you receive a marketing communication from the Controllers (whether or not you activate the purchase of the product or service offered to you on the marketing communication sent).

Your profile will not be used to make automated decisions with legal implications for you or that will significantly affect you in a similar way (financial effects, denial of services, discriminatory, disadvantages compared to other customers, etc.), as it will only be used to ensure that you only receive communications with commercial information that we consider most appropriate for you.  

Type of personal data processed: your email address and telephone number will be processed for the purpose of sending you marketing communications. Your country will be processed for the purpose of sending you marketing communications in your chosen language. The personalisation parameters indicated above (demographic criteria, transactional information and inferred socio-economic criteria) will be processed to ensure that you only receive communications with commercial information that we consider most relevant to your interests.

Lawful basis: this processing will only be carried out if you voluntarily give your express consent through the box that is incorporated for this purpose in the various forms on this website. In any case, we remind you that you can withdraw the consent given to unsubscribe from the sending of commercial communications, request not to be subject to automated individual decisions, including profiling, request human intervention in automated decision-making, express your point of view on the matter or resolve any question about the processing of your personal data, by sending your request to the DPO through any of the means of contact provided in this privacy policy.

V. Market research and analysis

Purpose description: production of quantitative and qualitative aggregated statistical reports to carry out market analysis and studies that allow managers to evaluate their market positioning in order to make strategic business decisions.

Type of personal data processed: aggregated information obtained from zip code, country, postal address, date of birth, purchase history and information obtained through surveys to which our customers may have responded. This information is previously dissociated so that it does not allow the identification of the holders of such personal data.

Lawful basis: this processing is necessary for the satisfaction of legitimate interests pursued by the Controllers because it will allow them to better understand and know the market where they operate (e.g., sales trends), which is necessary because it will help them make strategic business decisions that meet the expectations of their customers (e.g., launch of new products and services). The Responsible Parties understand that the rights and freedoms of individuals are not undermined and that there is a balance between the interests of both parties because it is basic information of a non-sensitive nature previously subjected to disassociation processes so that the holders of such information are not identified and it is not used for further purposes related to the creation of profiles for direct marketing. In addition, it is understood that customers have a reasonable expectation regarding the performance of this processing by the Controllers due to the contractual relationship that is maintained as a result of the purchase of products and services, the specific data protection information provided at the time of purchase and the frequency with which this type of processing is performed within a standard and usual practice of the industry of companies providing services.

In any case, we remind you that, if you have any questions about the processing of your personal data, need more information about the weighting of interests carried out by the Controllers to carry out this processing or exercise among others, your right to object you can send your request to the DPO through any of the means of contact provided in this privacy policy.

VI. Compliance with statutory obligations

Purpose description: Personal data will be processed in order to comply with legal obligations applicable to the Controllers as a result of the relationship with you as a customer and the processing of your personal data (e.g. in the event that you request via the ‘Customer Web Portal’ the issuance of an invoice). 

Category of personal data that may be processed in accordance with the applicable legal obligations: name, surname, first name, telephone number, email address, tax address, document proving the identity of the holder of the personal data or the status of customer (ID card, NIE, Passport, Driving licence), large family card, bonus card, transactional information about your purchase, where applicable, data collected through the use of cookies or similar technologies (see our Cookies Policy) or any other mandatory information that may be required for the fulfilment of our legal obligations, including at the request or request of the competent authorities. 

Basis of legitimacy: compliance with legal obligations applicable to the Controllers under European Union law and/or the applicable domestic legal regime (compliance with legal obligations required by tax, civil, commercial, privacy, e-commerce or consumer and user protection regulations, among others). Without your personal data, the Controllers would not be able to comply with their legal obligations under the terms required by the applicable regulations in each case. 

VII. Fraud prevention and detection

Purpose description: To activate the necessary mechanisms to prevent and detect the improper use of the website or potential fraud related to the purchase or reservation of products and services that could affect the Controllers themselves or their customers. If possible fraudulent activities related to the payment of products and services are detected, the Controllers may communicate the information about the affected transaction and the identification data of the person who made the transaction to the owner of the platform used for the payment and, where appropriate, to the competent public authorities so that the relevant measures can be taken in each case.

Type of personal data processed: name, surname, official identification document (DNI/NIF/Passport), e-mail, transactional information or IP address.

Lawful basis: we require to process your personal data to satisfy our lawful interests as Controllers. We believe that no rights of their customers are infringed upon as a result of this processing.  We also believe that there is a right balance between our of legitimate interest to prevent and detect potentially fraudulent activity and the legitimate interests of our customers and website users, as it allows us to take the required measures to protect them from such unlawful activities such as attempted fraud. This processing is also beneficial for us, as it allows us to avoid misuse of their website, products and services and for society at large, ensuring that fraudulent activities are discouraged and detected when they do occur.

VIII. Cart management and retrieval

Purpose description: Your personal data will be processed for this purpose only if you provide your email address and give your express consent by clicking on the pop-up that will appear during the online purchase process, and provided you remain inactive for some time. If you do not complete the purchase or reservation process, we may e-mail you a reminder inviting you to complete your purchase or booking.  If you do not complete your purchase or booking we will email you a short survey to find out your reasons for not doing so, which in turn will help us improve our customers' experience on our website.

Type of personal data processed: your e-mail address.

Lawful basis: we will only process your data for this purpose if you voluntarily give your express consent by clicking on the pop-up that will appear during the online purchase process if you remain inactive. In any case, we remind you that you can withdraw the consent given to unsubscribe from receiving this type of emails, either through the unsubscribe links enabled in each of our emails, or by sending your request to the DPO through any of the contact methods provided in this privacy policy.

IX. Use of cookies and related technologies

We use proprietary and third-party cookies and similar technologies (HTTP Cookies, Pixel Tracker and Premises and Premises Shared) on our website. As a result, we process, store and share user information and personal data when you browse this website, in accordance with the purposes and settings made available to users at all times.

For more information on the use of cookies and similar technologies, the processing of personal data and on how to manage your consent, please visit our  Cookies Policy.

 

3. How do you determine the retention periods of my personal data?

Based on the purpose for which we process your personal data, different retention periods apply as follows:

  • Managing your contractual relationship arising from your purchase or booking of products and services: your personal data will be retained until such time as your contractual relationship with us continues to exist.
  • Customer care: your personal data will be retained for such time as is required to deal with your request, complaint, incident or claim.
  • Surveys: your personal data will be retained for up to 12 months unless you submit a request for your personal data to be deleted or you otherwise object to the processing. In either case, your personal data will no longer be processed for this purpose.
  • Marketing communications (including personalised) about products and services of the Parques Reunidos Group: Your personal data will be processed until you withdraw your express and informed consent, submit your request to unsubscribe via any of the methods made available for this purpose on our marketing communications, or until you exercise your rights of erasure, objection or not to be subject to automated decisions, including profiling. In all such cases, your personal data will no longer be processed for this purpose.
  • Market research and analysis: the information processed for this purpose cannot be linked with the rest of your personal information. If, however, prior to such dissociation you request deletion of your data or object to the processing, the data will no longer be processed for this purpose.
  • Compliance with statutory duties: personal data will be kept secure for as long as the controllers can be held legally responsible for the fulfilment of their statutory duties.
  • Fraud prevention and detection: your personal data will be retained until any fraudulent actions detected are addressed. Thereafter your personal data be retained for as long as the controllers can be held legally responsible for such actions.
  • Cart management and retrieval: your personal data will be retained for up to 30 days, unless you withdraw your express consent or indicate that you do not wish to be sent abandoned cart reminders. In either case, your personal data will no longer be processed for this purpose.
  • Use of cookies and related technologies: our personal data will be processed for as long as your cookie consent remains in force. If you do not withdraw your consent via any of the methods offered in our Cookies Policy, your personal data will be retained for the duration of the cookies or similar technologies installed on your device

When your personal data are no longer relevant for the purposes for which they were collected or if you otherwise withdraw your consent or exercise your right of erasure or objection to the processing, the Controllers will keep your personal data duly blocked (identification and reservation of the personal data, adopting technical and organizational measures to prevent processing and viewing) strictly (and only to the extent necessary), to make such data available to the competent Public Administrations and in particular to the Supervisory Authority competent in data protection, Judges, or the Public Prosecutor's Office during the statute of limitations period for legal actions that may arise from the relationship maintained with you or from the processing of your personal data and/or the legally established retention periods in accordance with European Union Law and/or domestic regulations. Upon the expiry of these time limits, your personal data will be physically and irretrievably deleted. 

 

4. Who do you disclose my personal data to?

In order to fulfill the purposes stated in this Privacy Policy, we may give access to your personal data to third parties, namely:

  • Competent authorities: Pursuant to European Union Law and/or domestic regulations your personal data may be disclosed to the Public Authorities including, in particular, data protection authorities, the courts or the Public Prosecutor's Office to meet possible legal liabilities or to comply with statutory retention periods.

  • Services providers: The Controllers rely on third party suppliers who may also process your personal data to provide services related to the purposes for which you are being informed, (including, but not limited to, information security, customer relationship management (CRM), technology, legal consulting, marketing and advertising, customer service, multidisciplinary professional services, IT companies, payment processors and gateways, etc.). These providers will only access your personal data to perform their services on behalf of the Controllers, following at all times the Controllers' instructions and without ever being authorized to use such data for their own purposes and/or unauthorized purposes.

    One of these providers is Salesforce, a global company which provides cloud marketing platform services. Salesforce will operate on our behalf, within the European Economic Area (EEA) and in compliance with applicable European data protection regulations. Exceptionally, for example, in the event of a disaster recovery situation (i.e. the process to recover data and functionalities lost in the event of an accidental or a man-made disaster), Salesforce may also provide its services through companies outside the EEA, for which your personal data may need to be processed in countries that do not offer a standard of protection commensurate with the level of protection offered by European data protection legislation (e.g. the USA). To address these situations, the Controllers have entered into binding contractual commitments with Salesforce that guarantee the implementation of appropriate security measures to ensure that your personal data are at all times processed with an adequate level of protection comparable to that required in the EEA (standard contractual clauses approved by the European Commission on data protection in accordance with the European Data Protection Regulation (GDPR), additional security measures in accordance with decision C-311/18 of the Court of Justice of the European Union and subject to certification mechanisms).

  • Services, platforms, gateways and/or payment processors. Additionally, when the customer proceeds to make payment for products and/or services on our website, different intermediaries may intervene during this process (service providers, platforms, gateways and payment processors) who will also act as responsible for the storage of the customer's payment data (processing the information in accordance with Payment Card Industry Data Security Standard -PCI DSS- or higher security standards), as well as compliance with other legal obligations such as the prevention of money laundering that may apply to them. In these cases, these intermediaries act as independent controllers for such purposes.

If you have any questions in this regard or wish to exercise any of your rights under data protection regulations, you can contact the DPO by sending your request through any of the means of contact provided in this privacy policy.

 

5. Which are the European companies of the Parques Reunidos Group?

If you expressly agree to receive marketing information about any of the companies of the Parques Reunidos Group, please note that these are based in the European Union and are primarily engaged in the management and exploitation of fun parks, aquatic parks, zoos, leisure centres and travel agency services (e.g. sale of ticket+hotel packages). The European companies of the Parques Reunidos Group are:

  • Spanish companies of the Parques Reunidos Group: Parques Reunidos Servicios Centrales, S.A. (Bono Parques); Parque de Atracciones Madrid, S.A.U. (Parque de Atracciones Madrid); Madrid Theme Park Management, S.L.U. (Parque Warner y Parque Warner Beach); Gestión Parque de Animales Madrid, S.L.U. (Faunia); Zoos Ibericos, S.A. (Zoo Aquarium Madrid); Parques de la Naturaleza Selwo, S.L. (Selwo Aventura and Hotel Selwo Lodge); Aquópolis Cartaya, S.L.U. (Aquópolis Cartaya); Leisure Parks, S.A. (Aquópolis de Villanueva de la Cañada, Aquópolis Costa Dorada, Selwo Marina, Aquópolis de Sevilla, Aquópolis de Cullera, Aquópolis de Torrevieja, Teleférico de Benalmádena); Mall Entertainment Centre Acuario Arroyomolinos, S.L.U. (Atlantis Aquarium); Travelpark Viajes, S.L.U. (packages combining admission fees + hotel accommodation).
  • Rest of European companies of the Parques Reunidos Group: Italy - Parco della Standiana S.R.L (Miraiblandia and Mirabilandia Beach) and Travelparks Italy, S.R.L.( admission+hotel packages); Norway - Tusenfryd A/S (Tusenfryd) and Bø Sommarland AS (Bo Sommarland); Belgium - Bobbejaanland, B.V. (Bobbejaanland); Denmark - BonBon-Land A/S (BonBon -Land); Germany - Movie Park Germany GmbH y Movie Park Germany Services GmbH (Movie Park), Event Park GmbH (Belantis), Nature Park Germany GmbH (Vogelpark Walsrode), Tropical Island Management (Tropical Island) and TI Hotel Asset GmbH (Tropical Island Hotels); The Netherlands - Attractie- en Vakantiepark Slagharen B.V. (Slagharen and Slagharen Beach); France - Marineland SAS (Marineland, Aquaplash Marineland, Marineland Resort and Kids Island); England(UK) - Grant Leisure Group LTD (Blackpool Zoo), Real Live Leisure Company LTD (The Bournemouth Aquarium and Aquarium of the lakes) and Lakeside Mall Entertainment Centre Limited (Nickelodeon Adventure-Lakeside).

 

6. What are my rights in relation to my personal data?

You may exercise your right of access, rectification, objection, erasure, limited processing, portability and, where appropriate, your right not to be subject to automated individual decisions, including profiling, by sending your request by post to the attention of the Data Protection Officer at Calle Federico Mompou 5, Parque Empresarial “Las Tablas”, Edificio 1 – Planta 3ª, 28050, Madrid, Spain or electronically at dpo@grpr.com. If we have reasonable grounds to doubt the identity of the data subject, we may require a copy of an official Id. document (Spanish National or Foreign Id. Card/Passport) before processing your request.

For consent-based processing operations, please note that you can withdraw your consent or object at any time to the processing of your data following the procedure described in the previous paragraph. Also, we would like to remind you that if you have expressly authorized us to send to you marketing information or information about discounts and promotions, including subject to prior profiling and analysis of your preferences via automated decisions for relevance, you may also unsubscribe from this type of communications by using the methods that will be made available to you for this purpose in each commercial communication that you will receive. Finally, please note that you can also tell us not to be subject to decisions based exclusively on the automated processing described above, or ask us for human intervention, express your point of view, raise any queries about or object to automated decisions by sending your request to the Data Protection Officer at any of the addresses indicated in this section. 

 

7. How did you gather my personal data?

The personal data processed by the Controllers are provided directly by you as the data subject through this website and/or during the relationship with you.

If you provide personal data of third parties, you agree to obtain their express and informed approval to provide their personal data to the Controllers in accordance with the provisions described in this Privacy Policy. 

If information on allergies and/or intolerances must be provided to the Controllers (e.g. to design the menus that may be served during an event or reception), please remember that you must only provide the number of people and the type of allergy and/or intolerance and not personal data that would allow the person with such allergy and/or intolerance to be individually identified. 

 

8. Minors

Children under fourteen (14) years of age are not authorized to purchase or book our products, services or events on this website.

However, if as a result of purchasing any of our products, services or events available on this web site and, particularly following an event, you voluntarily decide to provide personal data of a child under fourteen (14) years of age,  you will be deemed to have given your express and informed consent for the Controllers to process the personal data as part of the contractual relationship arising from your purchase pursuant to the provisions of this Privacy Policy. 

 

9. How do I file an official personal data protection complaint?

You may lodge a claim with the Spanish Data Protection Agency to protect your rights at any time you deem appropriate. However, we advise you to approach first our Data Protection Officer on dpo@grpr.com or at Calle Federico Mompou, 5, Parque Empresarial "Las Tablas", Edificio 1 - Planta 3ª, 28050, Madrid, Spain to seek assistance with your request and to resolve any incident related to the processing of your personal data.

This Privacy Policy was last updated in May 2023