Click&Collect Privacy Policy

Who are the parties responsible for the processing of personal data?

Who are the parties responsible for the processing of personal data?

The parties responsible for the processing of your personal data are Leisure Parks S.A. (the company that operates Aquópolis de Costa Daurada) and the company that manages its central services, Parques Reunidos Servicios Centrales, S.A., both with registered offices at Federico Mompou 5, Edificio 1 planta 3ª, 28050, Madrid, Spain, acting individually as data controllers and jointly as co-responsible for the processing (hereinafter, the "Controllers").

If you have any questions about the processing of your personal data or wish to request the essential parts of the co-responsibility contract existing between the Controllers, you may contact the Data Protection Officer (DPO).

Contact details of the DPO

  • Postal address: by sending your request by post to Calle Federico Mompou 5, Parque Empresarial "Las Tablas", Edificio 1 - Planta 3ª, 28050, Madrid, Spain.
  • E-mail address: dpo@grpr.com.

 

For what purposes and on what grounds do we process your personal data?

The Controllers will process your personal data for the following purposes and on the following legal basis:

1. To manage the registration of users of the platform.

The personal data provided by the customer when registering on the website ttps://menus.preoday.com/costa-daurada (hereinafter, the "Platform") will be processed to identify you as a user of the same and give you access to the various features and products available on the park's Platform. Registration will enable you to speed up the process of purchasing food and/or drink products (hereinafter also referred to as the "Order"), avoiding having to provide personal identification data again for each Order placed on the Park's Platform. You can cancel your registered user account through the option "DELETE MY ACCOUNT".

Category of personal data processed: your identification data (name and surname), contact data (email and telephone) and password.

Basis of legitimacy: the processing is necessary for the performance of a contract to which the user, the holder of the personal data is a party (acceptance of terms and conditions). The user's personal data is necessary for the execution of the terms governing the use of the Platform and to manage the registration of users.

2. Process and manage the purchase of your food and beverage order.

The personal data provided by the customer or user will be processed in order to process their Order through the Platform, process the payment thereof and send them by email the corresponding confirmation and receipt to be presented at the park's restaurant at the time of collection. Likewise, the telephone number may be provided voluntarily so that we can contact you (as an alternative to email) in the event of any mishap related to the delivery of your Order.

If during the purchase process you make use of promotions that are subject to the fulfilment of specific conditions on your part (large family, discount code for certain groups, discount code for bonus holders, etc.), please note that we may ask you to provide us with a discount code for certain groups. ) please note that we may ask you for the corresponding documentation during the collection of the Order at the park's restaurant to verify compliance with these conditions (large family card, official document accrediting membership of certain groups, National ID card, Passport/Driving licence, presentation of your annual pass, etc.), without this entailing the registration or storage of this information by the Controllers.

Category of personal data processed: your identification data (name and surname), contact details (email and telephone); transactional information (e.g. information relating to payment, information about the food and/or drink product(s) purchased, returns, etc.).

In order to process your order the Responsible Parties do not store your credit or debit card information on their systems. Payment processing is carried out using the secure services of the payment gateway contracted in accordance with the Payment Card Industry Data Security Standard or PCI DSS, among other standards. You can find more information in the section Who are the recipients of your data?

Basis of legitimacy: the basis that legitimizes the processing of your personal data is the execution of the contract concluded between you and the Controllers for the purchase of the food products offered on the Platform (terms and conditions). Without the above-mentioned personal data, your Order could not be processed.

3. Customer service

If you request information about the food products available on the Platform or send us queries, suggestions, complaints, claims or incidents through any of the channels that the Controllers make available for this purpose in the "Contact" section (email or telephone), the personal data will be processed to manage and respond to your request by email or telephone call depending on the means used by you to send us your request.

Category of personal data processed: name, surname, telephone, email, transactional information related to the Order, and any other information you voluntarily provide in your request.

Basis of legitimacy: the data processing will be carried out for the implementation, at the request of the data subject, of pre-contractual measures or for the performance of the contract (terms and conditions) to which you are a party for the purchase of your Order on the Platform. Without the personal data indicated, your request could not be fulfilled.

4. To produce statistical reports for analytical purposes on the basis of aggregated information.

The Controllers will proceed to dissociate the personal data provided by you through the forms on this Platform to avoid any direct identification of the data subject in order to produce quantitative and qualitative aggregate statistical reports to create analytical models of consumption of the Platform's products and, consequently, to make strategic business decisions.

Category of personal data processed: information relating to the transaction (e.g.: type of menu selected, date and time of ordering and collection, restaurant selected, cost of the Order, use of promotional codes, frequency of orders, etc.) previously dissociated from any type of personal information of the user that allows him/her to be identified.

Basis of legitimacy: this processing is necessary for the satisfaction of legitimate interests pursued by the Controllers in order to know and understand the commercial behaviour of customers and users with respect to the use of the Platform. The Controllers understand that the rights and freedoms of their customers and users are not undermined and that there is a balance between the interests of both parties (customers and users and Controllers) insofar as this processing makes it possible to achieve the purpose pursued (to create analytical models of consumption), which is necessary for the Controllers to make strategic business decisions and even improve their products and operational processes related to catering services in the park, which would mean providing our customers with a better quality of their experiences.

In addition, we understand that there is no other more moderate mechanism that allows this purpose to be achieved with the same effectiveness, as no sensitive information (information relating to the transaction) is used and previously dissociated from any personal data that allows the individual identification of customers during the course of this purpose. We also understand that our customers may have a reasonable expectation of such processing based on their contractual relationship with the Controllers for the purchase or reservation of products and services, on the specific information provided by the Controllers, and on the fact that such processing is standard industry practice.

However, you may at any time object to the processing of your personal data or exercise your other rights under data protection regulations in accordance with the procedure described in the section "What are your rights when you provide us with your personal data?" included in this Privacy Policy.

5. Prevention and detection of possible fraudulent activities

Activate the necessary mechanisms in order to prevent and detect the improper use of the website or potential fraud related to the purchase of products that could affect the Controllers themselves or their customers. If possible fraudulent activities related to the payment of products are detected, the Controllers may communicate the information on the affected transaction and the identification data of the person who carried it out to the owner of the platform used for the payment and, where appropriate, to the competent public authorities so that the relevant measures may be adopted in each case.

Category of personal data processed: transactional information, payment information and contact details provided during possible fraudulent purchase processes.

Basis of legitimacy: this processing is necessary for the satisfaction of legitimate interests pursued by the Controllers. The Controllers understand that the rights and freedoms of natural persons are not infringed and that there is a balance of legitimate interests insofar as this processing makes it possible to achieve the purpose pursued (preventing and detecting possible fraudulent activities) and is beneficial to customers and users of the website, as it allows the necessary measures to be taken to protect them from unlawful activities such as attempted fraud by third parties, for the Controllers themselves in order to prevent the improper use of the website and its products and services, and for society in general in order to ensure that fraudulent activities are discouraged and detected when they occur.

6. Compliance with legal obligations

Personal data will be processed in order to comply with legal obligations applicable to the Controllers as a result of the relationship maintained with you as a customer or user and the processing of your personal data in accordance with European Union law and/or the applicable domestic legal regime (legal obligations required by tax regulations, personal data protection regulations, commercial law regulations, user and consumer protection regulations, information society services and e-commerce regulations, civil law regulations, accounting regulations, etc.).

Category of personal data processed: name, surname, e-mail address, if applicable, the document proving the identity of the holder of the personal data or the status of customer (DNI, NIE, Passport, Driving Licence), passport, membership card, transactional information about your purchase or any other necessary information that may form part of the fulfilment of legal obligations at the request or request of the competent control authorities.

Basis of legitimacy: compliance with legal obligations applicable to the Controllers under European Union law and/or applicable domestic legal regime. Without your personal data, the Controllers would not be able to properly comply with the aforementioned legal obligations or meet possible legal liabilities arising from the relationship with you or from the processing of your personal data.

7. Use of cookies and similar technologies

Through this Platform, the Controllers do not use cookies or similar technologies to collect information from users. Third-party cookies are only used for technical purposes to allow the user to browse the Platform and use the different options or services that exist therein.

 

What criteria do we use to determine the retention periods for your personal data?

Depending on the purpose for which we process your personal data, the applicable retention criteria will be as detailed below:

  • To manage the registration of users of the Platform: for as long as you maintain your status as a registered user on the Platform so that you can use your account in our park for future Orders. You may cancel your account at any time through the Platform itself and in particular through the option "DELETE MY ACCOUNT". Inactivity of users for a period of two (2) years will result in the automatic deletion of your account.
  • Process and manage the purchase of your food and beverage order: for as long as the contractual relationship with you for the purchase of your Order is maintained.
  • Customer service: for as long as it is necessary to manage and deal with your request, complaint, incident or claim.
  • To prepare statistical reports for analytical purposes based on aggregated information: the information processed for this purpose is dissociated and cannot be linked back to the rest of your personal information. However, if prior to this disassociation you request the deletion of your data or your opposition to the processing, the data will no longer be processed for this purpose.
  • Prevention and detection of possible fraudulent activities: until the possible fraudulent actions that may be detected are resolved and then they will be kept blocked while legal responsibilities may be demanded from those responsible as a result.
  • Compliance with legal obligations: personal data will be blocked for as long as those responsible can be held legally liable for compliance with their legal obligations.

In any of the above cases, when the personal data cease to be relevant for the purposes for which they were collected or, if applicable, you withdraw your consent or exercise your right of deletion or opposition to the processing indicated, where appropriate, the Controllers may keep them duly blocked (identification and reservation of personal data, adopting technical and organisational measures to prevent their processing, including their visualisation) in order to, if necessary, make them available to the competent Public Administrations and in particular to the competent Data Protection Supervisory Authority, Judges, Courts or the Public Prosecutor's Office during the period of limitation of the legal actions that may arise from the relationship maintained with you or from the processing of your personal data and/or the legally established retention periods in accordance with European Union Law and/or the internal legal system. Once these periods have elapsed, your personal data will be physically deleted without the possibility of recovery.

 

Who are the recipients of your data?

Personal data provided by customers and users may only be disclosed to competent Public Authorities and in particular to the competent Data Protection Supervisory Authority, Judges, Courts or the Public Prosecutor's Office in accordance with European Union Law and/or domestic law, if it is necessary to meet possible liabilities or comply with legal obligations.

In addition, the Controllers have suppliers who may also process your personal data in order to provide services related to the purposes for which you are being informed (including, but not limited to, companies operating in the following sectors: information security, management and maintenance of this ordering platform, legal advice, multidisciplinary professional services, IT services, payment gateways. These suppliers will only access personal data in order to carry out their services on behalf of and for the account of the Controllers, always following their instructions and without at any time being able to use such data for their own purposes and/or unauthorised purposes. However, when the customer places an Order the payment gateway provider is responsible for the storage of the customer's payment data in accordance with the Payment Card Industry Data Security Standard (PCI DSS), the Payment Card Industry Point-to-Point Encryption (PCI P2PE) as well as other legal obligations such as the prevention of money laundering applicable to it. In this case, the provider acts as the data controller. For more information, please consult its privacy policy.

On the other hand, for the maintenance and management services of the order platform, as well as the customer relationship management platform, we have suppliers located outside the European Economic Area (EEA) and, in particular, the United Kingdom (a country declared by the European Commission to have an adequate level of protection) and the United States. In all cases, binding contractual commitments have been entered into with these suppliers guaranteeing the implementation of appropriate security measures to ensure that your personal data are processed at all times with an adequate level of protection comparable to that required in the EEA (standard contractual clauses approved by the European Commission on data protection in accordance with the European Data Protection Regulation (GDPR) and additional security measures in accordance with decision C-311/18 of the Court of Justice of the European Union). For further information or to exercise any of your rights under the GDPR, please do not hesitate to contact the Controllers as described in the "Data protection rights" section of this Privacy Policy.

 

What are your rights when you provide us with your personal data?

You may exercise your right of access, rectification, opposition, limitation, portability and, where appropriate, withdraw your consent or request not to be subject to automated individual decisions, including profiling, by sending your request in writing to the attention of the DPO to the postal address located at Calle Federico Mompou 5, Parque Empresarial "Las Tablas", Edificio 1 - Planta 3ª, 28050, Madrid, Spain or to the e-mail address dpo@grpr.com . If there are reasonable doubts about the identity of the holder of the personal data, a copy of an official document (DNI/NIE/Passport) may be requested in order to process the request.

You may lodge a complaint with the Spanish Data Protection Agency (AEPD) to safeguard your rights when you deem it appropriate.

 

How have we obtained your personal data?

The personal data processed by the Controllers are provided directly by you as the data subject through this Platform. The personal data provided must be accurate and up to date in order to respond truthfully to the current and real situation of the candidates.

If you provide personal data of third parties, you are obliged to obtain the express and informed consent of the holders of such data to provide their personal data to the Controllers in accordance with the provisions described in this Privacy Policy.

 

Minors

Minors under fourteen (14) years of age are not authorised to purchase any of the products offered on this Platform.

 

Updating of the Privacy Policy

The Controllers reserve the right to modify this Privacy Policy in order to adapt it to possible legislative developments or changes that may arise in their internal processes and that will impact on the processing of personal data previously reported.

Any change made on the Platform that may affect the processing of personal data of customers and users will be informed to them prior to such processing through the Platform.