The persons responsible for processing your personal data are S.A.S. MARINELAND (the company that operates the Aquasplash water park, hereinafter "the Park"), whose registered office is located at 2 Route de la Brague - 06600 ANTIBES- France, and the company that manages its central services, Parques Reunidos Servicios Centrales, S.A., whose registered office is located at Federico Mompou 5, Edificio 1 planta 3ª, 28050, Madrid, Spain, hereinafter "Parques Reunidos" acting individually as data controllers and jointly as joint data controllers (hereinafter, the "Controllers").
If you have any questions regarding the processing of your personal data or if you wish to request the essential parts of the co-responsibility agreement between the data controllers, you can contact the Data Protection Officer (DPO).
Contact details of the DPO of Parques Reunidos
The data controllers will process your personal data for the following purposes and on the following legal basis:
1. Manage the registration of users of the platform
The personal data provided by the customer when registering on the website https://menus.preoday.com/ (hereinafter, the "Platform") will be processed in order to identify you as a user of the Platform and to give you access to the various features and products available on the Platform. Registration will allow you to speed up the process of purchasing food and/or beverages (hereinafter also referred to as "Order"), by avoiding the need to provide personal identification data again for each Order placed on the Park Platform. You can delete your registered user account via the "DELETE MY ACCOUNT" option.
Category of personal data processed: your identification data (name and surname), your contact details (e-mail and telephone) and your password.
Legal basis: the processing is necessary for the execution of a contract to which the user, the holder of the personal data, is a party (acceptance of the general conditions). The user's personal data is necessary for the execution of the conditions governing the use of the Platform and for the management of user registration.
2. Processing and managing the purchase of your food and drink order
The personal data provided by the customer or user will be used to process your Order through the Platform, to process the payment thereof and to send you by email the corresponding confirmation and receipt to be presented at the restaurant du Parc at the time of collection. Similarly, the telephone number may be provided voluntarily so that we can contact you (as an alternative to email) in the event of a problem with the delivery of your Order.
If, during the purchase process, you make use of promotions that are subject to specific conditions (large families, discount codes for certain groups, promotional codes, etc.), please note that we may ask you for the relevant documents when you collect your order in the park restaurant in order to verify compliance with these conditions (large family card, official document accrediting membership of certain groups, card of the same name, etc. If, during the purchase process, you make use of promotions that are subject to specific conditions (large families, discount codes for certain groups, promotional codes, etc.), please note that we may ask you for the relevant documents when you collect your order from the park restaurant in order to verify compliance with these conditions (large family card, official document accrediting membership of certain groups, identity card, passport/driving licence, presentation of your annual pass, etc.), without this entailing any additional costs, and without this information being recorded or stored by the managers.
Category of personal data processed: your identification data (name and surname), your contact details (e-mail and telephone); transactional information (e.g. payment information, information about the food and/or drink product(s) purchased, returns, etc.).
In order to process your order, the responsible parties do not store your credit or debit card information in their computer systems. Payment processing is carried out using the secure services of the payment gateway contracted in accordance with the Payment Card Industry Data Security Standard or PCI DSS, among other standards. You can find more information in the section Who will receive your data?
Legal basis: the legitimate basis for processing your personal data is the execution of the contract concluded between you, the User, and the Data Processors for the purchase of the food products offered on the Platform (general conditions). Without the above-mentioned personal data, your Order could not be processed.
3. Customer service
If you request information on the food products available on the Platform or if you send us questions, suggestions, complaints, claims or incidents through any of the channels that the Data Processors make available to you in the "Contact" section (e-mail or telephone), your personal data will be processed in order to manage and respond to your request by e-mail or telephone call, depending on the means you have used to send us your request.
Category of personal data processed: first name, last name, telephone number, e-mail address, transactional information related to the Order, and any other information you voluntarily provide in your application.
Legal basis: the data processing will be carried out for the implementation, at the request of the data subject, of pre-contractual measures or for the execution of the contract (general conditions) to which you are party by purchasing your Order on the Platform. Without the personal data indicated, your request could not be fulfilled.
4. Produce statistical reports for analysis on the basis of aggregated information.
The Responsible Entities will proceed with the dissociation of the personal data provided by you through the forms of this Platform in order to avoid any type of direct identification of the person concerned with the aim of carrying out quantitative and qualitative aggregated statistical reports in order to create analytical models of consumption of the products of the Platform and, consequently, to adopt strategic commercial decisions.
Category of personal data processed: information relating to the transaction (e.g. type of menu chosen, date and time of the order and collection, restaurant chosen, cost of the Order, use of promotional codes, frequency of orders, etc.) previously separated from any personal information of the user that could identify him/her.
Legal basis: this processing is necessary for the satisfaction of the legitimate interests pursued by the Data Controllers in order to know and understand the commercial behaviour of customers and users with regard to the use of the Platform. The Data Processors certify that the rights and freedoms of their customers and users are not violated and that there is a balance between the interests of both parties (customers and users and Data Processors) insofar as this processing allows the achievement of the purpose pursued (to create analytical models of consumption), which is necessary for the Data Processors to make strategic business decisions, or even to improve their products and operational processes related to the catering services in the park, which would mean providing customers with a better quality of their experiences.
Furthermore, the Data Controllers certify that there is no other more moderate mechanism to achieve this purpose with the same efficiency, since no sensitive information (transaction information) is used, and the data is previously dissociated from any personal data allowing the individual identification of customers during this purpose. We also understand that our customers may have a reasonable expectation of this processing due to the contractual relationship they have with the Data Processors for the purchase or booking of products and services, the specific information provided by the controllers, and that this type of processing is common practice in the tourism sector.
However, you may at any time object to the processing of your personal data or exercise your other rights under data protection legislation, in accordance with the procedure described in the section "What are your rights when you provide us with your personal data?
5. Prevention and detection of possible fraudulent activities
The personal data provided may be processed to activate the mechanisms necessary to prevent and detect misuse of the website or potential fraud related to the purchase of products that could affect the Data Processors themselves or their customers. If possible fraudulent activities related to the payment of products are detected, the Data Processors may communicate information on the affected transaction and the identification data of the person who carried it out to the owner of the platform used for payment and, if necessary, to the competent public authorities so that the relevant measures may be adopted in each case.
Category of personal data processed: transactional information, payment information and contact information provided in the event of fraudulent purchase processes.
Legal basis: this processing is necessary for the satisfaction of the legitimate interests pursued by the Data Controllers. The Data Processors understand that the rights and freedoms of natural persons are not infringed and that there is a balance of legitimate interests insofar as this processing makes it possible to achieve the aim pursued (to prevent and detect possible fraudulent activities) and is beneficial to the customers and users of the Platform, as it allows the necessary measures to be taken to protect them against unlawful activities such as fraud attempts by third parties, for the Controllers themselves to prevent the misuse of the Platform and its products and services, and for society in general to ensure that fraudulent activities are discouraged and detected when they occur.
6. Compliance with legal obligations
Personal data will be processed in order to comply with the legal obligations applicable to the Data Controllers due to the relationship with you as a customer or user and the processing of your personal data in accordance with EU law and/or the applicable national legal regime (legal obligations required by tax regulations, personal data protection regulations, commercial law regulations, user and consumer protection regulations, information society services and e-commerce regulations, civil law regulations, accounting regulations, etc.)
Category of personal data processed: name, surname, e-mail address, if applicable, the document proving the identity of the holder of the personal data or the status of customer (identity card, passport, driving licence), annual card, transactional information on your purchase or any other necessary information that may be part of the fulfilment of legal obligations at the request of the competent supervisory authorities.
Legal basis: compliance with the legal obligations applicable to Controllers under EU law and/or the applicable national legal regime. Without your personal data, the data controllers would not be able to adequately comply with the legal obligations indicated or to meet any legal liabilities arising from the relationship with you or the processing of your personal data.
7. Use of cookies and similar technologies
Through this Platform, the Controllers do not use cookies or similar technologies to collect information from users. Third party cookies are only used for technical purposes to enable the user to navigate the Platform and use the various options or services offered on it.
Depending on the purpose for which we process your personal data, the applicable retention criteria will be those detailed below:
In all of the above cases, when the personal data cease to be relevant for the purposes for which they were collected or, as the case may be, when you withdraw your consent or exercise your right to cancel or object to the processing indicated, as the case may be, the Data Controllers may keep them duly blocked (identification and reservation of personal data, adoption of technical and organisational measures to prevent their processing, including visualization) in order, if necessary, to make them available to the competent Public Administrations and, in particular, to the competent Data Protection Control Authority, Judges, Courts or Public Prosecutor's Office during the period of limitation of legal actions that may arise from the relationship with you or from the processing of your personal data and/or the retention periods legally established in accordance with European Union law and/or the internal legal order. Once these periods have expired, your personal data will be physically deleted without the possibility of recovery.
Personal data provided by customers and users may only be disclosed to the competent public authorities and in particular to the competent data protection supervisory authority, judges, courts or public prosecutors in accordance with European Union law and/or national law, if this is necessary to meet possible liabilities or legal obligations.
In addition, the Data Controllers have suppliers who may also process your personal data in order to provide services related to the purposes for which you are notified (including, but not limited to, companies operating in the following sectors: information security, management and maintenance of this ordering platform, legal advice, multidisciplinary professional services, IT services, payment gateways). These suppliers will only access personal data in order to perform their services on behalf of and for the account of the Data Processors, always following their instructions and without being able to use this data for their own and/or unauthorised purposes at any time. However, when the customer places an Order, the payment gateway provider is responsible for storing the customer's payment data in accordance with the Payment Card Industry Data Security Standard (PCI DSS), Payment Card Industry Point-to-Point Encryption (PCI P2PE) and other legal obligations such as the prevention of money laundering applicable to it. In this case, the provider acts as the data controller. For more information, please refer to its privacy policy.
However, for the maintenance and management services of the ordering platform, as well as the customer relationship management platform, we have suppliers located outside the European Economic Area (EEA) and, in particular, in the United Kingdom (a country declared by the European Commission as having an adequate level of protection) and the United States. In all cases, binding contractual commitments have been entered into with these suppliers ensuring the implementation of appropriate security measures to ensure that your personal data is processed at all times with an adequate level of protection comparable to that required in the EEA (standard contractual clauses approved by the European Commission on data protection in accordance with the European Data Protection Regulation (EDPR) and additional security measures in accordance with the European Court of Justice's decision C-311/18). For more information or to exercise any of your rights under the GDPR, please feel free to contact the Data Controllers as described in the "Data Protection Rights" section of this Privacy Policy.
You may exercise your right of access, rectification, opposition, limitation, portability and, where applicable, withdraw your consent or request not to be subject to automated individual decisions, including profiling, by sending your request in writing for the attention of the DPO to the following postal address: Parques Reunidos, Calle Federico Mompou 5, Parque Empresarial "Las Tablas", Edificio 1 - Planta 3ª, 28050, Madrid, Spain, or to the following e-mail address: dpo@grpr. com . If there are reasonable doubts about the identity of the holder of the personal data, a copy of an official document (ID card/passport) may be requested in order to process the request.
You may file a complaint with the Spanish Data Protection Agency (AEPD) or the French Agency (CNIL) to safeguard your rights where you consider it appropriate.
The personal data processed by the Data Processors are provided directly by you, as the data subject, through this Platform. The personal data provided must be accurate and up to date in order to truthfully respond to the current and real situation of the applicants.
If you provide personal data of third parties, you are required to obtain the express and informed consent of the data subjects to provide their personal data to the Data Controllers in accordance with the provisions described in this Privacy Policy.
Children under the age of fifteen (15) are not permitted to purchase any of the products offered on this Platform. The Controllers will use reasonable efforts to ensure compliance with relevant national regulations regarding the ability of a minor to enter into contracts on the Platform by requesting the date of birth.
The Data Controllers reserve the right to modify this Privacy Policy in order to adapt it to possible legislative developments or to changes that may occur in their internal processes and that will have an impact on the processing of personal data previously declared.
Any changes to the Platform that may affect the processing of personal data of customers and users will be notified to them prior to such processing by the Platform.