Privacy Policy

The data controllers responsible for processing your personal data are Madrid Theme Park Management, S.L.U. the company responsible for operating Warner and Warner Beach parks and the company managing its central services, Parques Reunidos Servicios Centrales, S.A., both with registered office at Calle Federico Mompou 5, Parque Empresarial "Las Tablas," Building 1 - 3rd Floor, 28050, Madrid, Spain. Both companies act individually as data controllers and jointly as joint controllers (hereinafter, the “Controllers”).

If you have any questions regarding the processing of your personal data or wish to request the essential parts of the joint controllership agreement between the Controllers, you may contact the Data Protection Officer (DPO) by sending your request to the above postal address or via email at dpo@grpr.com.

The Controllers will process your personal data for the purposes detailed below, depending on the purpose informed in the channel through which you provided your personal data:

Managing the contractual relationship for the purchase or booking of products and services

The personal data provided will be processed to manage the purchase or booking of the Controllers’ products and services, process the payment, and send you the confirmation and the receipt via email, along with any relevant documentation for your visit and access to the park.

If during the purchase or booking process you use promotions subject to specific eligibility conditions (such as large family discounts or discount codes for certain groups), please note that at the park’s ticket offices, we may request the corresponding documentation to verify compliance with these conditions (e.g., large family card, official document proving membership in certain groups, ID card/NIE/Passport/Driver’s License, etc.), without recording or storing this information.

In case of unforeseen events or circumstances affecting the product or service you purchased (such as weather conditions, security reasons, or public health concerns), the Controllers may contact you via electronic means (email, SMS, or phone calls) to inform you about any possible impact on your visit.

·        Categories of personal data processed: name, surname, email, phone number, transactional information related to the purchase or booking of products and services, payment details and receipts, date of birth (to ensure you are over fourteen (14) years old, as required by European data protection legislation, otherwise, we would need consent from your legal guardian or custodian), and country (to ensure that any communication sent to you is in the language of the country you provided, guaranteeing full comprehension).

·        Legal basis: the legal basis for processing your personal data is the performance of the contract between you and the Controllers for the purchase or booking of products and services (Contractual Terms and Conditions). Without the personal data provided, the purchase or booking of the Controllers' products and services would not be possible.

Customer service

If you request information about products and services or send us inquiries, suggestions, complaints, claims, or incident reports via any of the channels provided by the Controllers (specific form, phone, or email), your personal data will be processed to manage and respond to your request via email or phone call, depending on the means you used to contact us.

·        Categories of personal data processed: name, surname, phone number, email, transactional information related to the purchase or booking of products and services, date of birth (to ensure you are over fourteen (14) years old, as required by European data protection legislation, otherwise, we would need consent from your legal guardian or custodian), country (to ensure we respond to your request in the language of the country you provided, guaranteeing full comprehension), and any other information you voluntarily provide in your request.

·        Legal basis: the processing of your data is necessary for taking pre-contractual measures at your request or for the performance of the contract (Contractual Terms and Conditions) related to the purchase or booking of products and services. Without the required personal data, your request could not be processed.

Sending commercial communications, including personalized communications, about our own products and services, those of other companies in the Parques Reunidos Group in Europe and other third-party collaborators

Only if you give your express consent by ticking the box included for this purpose on the various forms on this website or by clicking the ‘Submit/Send‘ button on the newsletter form, your personal data will be processed by the Data Controllers to send you commercial communications by any means, including electronic means (e-mail, SMS, telephone calls). These communications, which may be personalized by means of profiling, will be related to our own products and services and those of the other companies of the Parques Reunidos Group in Europe (leisure and hospitality sectors), as well as those of third parties with whom we have collaboration or sponsorship agreements (sectors: leisure, hospitality, travel, energy, transport and food).

These commercial communications may include surveys, newsletters, discounts, promotions, relevant information, commercial information about their activities, brand and image promotion, events, products, and services. These communications may be personalized based on profiling and analysis of your preferences through automated decisions, ensuring they align with your interests. The configuration and filtering of these parameters are detailed below in our email marketing platform: demographic criteria based on the postal code and country you provide, transactional information from our own sources related to your purchase history and the type of products and services acquired (tickets, season pass or parks pass, experiences, parking, or food and beverage-related products) and inferred socioeconomic parameters based on your age, the type of product or service you purchase, and your behavior when receiving a commercial communication (whether or not you proceed with the purchase of the product or service offered in the commercial communication).

The aforementioned profiling will not be used to make automated decisions with legal effects on you or that could significantly affect you in a similar way (economic impact, denial of services, discrimination, disadvantages compared to other customers, etc.). It will solely be used to ensure that our customers and potential customers receive communications better suited to their interests.

·        Categories of Personal Data Processed: your email address and phone number will be processed to send commercial communications, and your country will be used to ensure these communications are sent in the appropriate language. Additionally, transactional information related to your purchase or reservation of products and services, as well as any other information you provide through surveys, will be processed. The personalization parameters mentioned above (demographic criteria, transactional information, and inferred socioeconomic parameters) will be used to ensure that you only receive commercial communications with information that we believe aligns best with your interests.

·        Legal Basis: this process will only take place if you voluntarily give your explicit consent by checking the corresponding box in the various forms on this website or by clicking the "Submit/Send" button in the newsletter form.

Please note that, in addition to all other rights granted to you under data protection regulations, you may withdraw your consent at any time and request to opt out of receiving commercial communications. You may also request not to be subject to automated individual decision-making, including profiling, request human intervention in automated decisions, express your opinion, clarify any doubts, or challenge such decisions as outlined in the section ‘What are your rights when you provide us with your personal data?’ included in this Privacy Policy.

Anonymization of Personal Data for Research, Market Analysis, and Customer Experience

The Controllers will anonymize certain personal data provided by you through the forms on this website, where you are specifically informed of this processing, as well as responses you provide in surveys. This anonymized data will be used to generate aggregated statistical reports for conducting market analysis and research. These reports will help us assess our market positioning and customer experience, allowing us to make strategic business decisions (e.g., sales trends).

·        Categories of Personal Data Processed: aggregated information related to postal code and country, as well as survey responses you provide, will be processed after being dissociated from any personal data to ensure that your individual identification is not possible.

·        Legal Basis: this process is necessary to satisfy the legitimate interests pursued by the Controllers. The Controllers consider that the rights and freedoms of their customers are not undermined and that a balance exists between the interests of both parties (customers and Controllers). This is because processing allows for the achievement of its intended purpose (research, market analysis, and customer experience), which is essential for the Controllers to make strategic business decisions and improve their products, services, and internal operational processes. These improvements ultimately enhance the quality of customer experience.

Furthermore, we consider that there is no more moderate mechanism to achieve this purpose with the same level of effectiveness. Only basic, non-sensitive information is used (postal code, country, and survey responses), which is previously dissociated from any personal data to ensure customers cannot be individually identified during this process.

Additionally, we understand that customers may have a reasonable expectation regarding this processing based on their contractual relationship with the Controllers, the specific information provided by the Controllers, and the fact that such processing is a standardized and common practice in the service industry.

Nevertheless, you may object to the processing of your personal data at any time or exercise your other data protection rights in accordance with the procedure described in the section ‘What are your rights when you provide us with your personal data?’ included in this Privacy Policy.

Cart Management and Recovery

Only if you provide your email address and give your explicit consent through the pop-up that will appear during the online purchase process in case of inactivity on your part, your personal data will be processed so that, if you do not complete the purchase or booking of the products and services you have previously selected, we can send you an email reminder to finalize the purchase or booking. If you ultimately do not complete the purchase or booking of such products and services, you will receive a brief survey via email to understand the reason for not completing it, which will help us improve our customers’ web experience.

• Category of personal data processed: Email address.
• Legal basis: this process will only be carried out if you voluntarily give your explicit consent through the pop-up that will appear during the online purchase process in case of inactivity on your part. We remind you that, in addition to the other rights granted to you under data protection regulations, you may also withdraw your consent at any time and request to unsubscribe from abandoned cart reminders as set out in the section ‘What are your rights when you provide us with your personal data?’ included in this Privacy Policy.

Compliance with Legal Obligations

Personal data will be processed to comply with the legal obligations applicable to the Controllers as a result of the relationship maintained with you as a customer and the processing of your personal data in accordance with European Union law and/or the applicable national legal framework (legal obligations required by tax regulations, personal data protection regulations, commercial law, consumer and user protection regulations, information society services and e-commerce regulations, civil law regulations, accounting regulations, etc.).

• Category of personal data processed: name, surname, phone number, email address, document proving the identity of the data subject or customer status (ID card, NIE, Passport, Driver’s License), large family card, season pass card, transactional information about your purchase (where applicable), data collected through the use of cookies or similar technologies as indicated in this website’s Cookie Policy, or any other information necessary to fulfill legal obligations at the request of competent supervisory authorities.
• Legal basis: Compliance with legal obligations applicable to the Controllers under European Union law and/or the applicable national legal framework. Without your personal data, the Controllers would not be able to properly comply with the stated legal obligations or address potential legal responsibilities arising from the relationship maintained with you or the processing of your personal data.

Prevention and Detection of Potentially Fraudulent Activities

Activating the necessary mechanisms to prevent and detect the misuse of the website or potential fraud related to the purchase or booking of products and services that may affect the Controllers or their customers. If potentially fraudulent activities related to the payment of products and services are detected, the Controllers may share the information regarding the affected transaction and the identifying details of the person who carried it out with the owner of the payment platform used and, if necessary, with the competent public authorities to take appropriate action in each case.

• Category of personal data processed: transactional information, payment information, and contact details provided during potential fraudulent purchase processes.
• Legal basis: this processing is necessary for the pursuit of the legitimate interests of the Controllers. The Controllers understand that the rights and freedoms of individuals are not unduly affected and that there is a balance of legitimate interests, as this processing aims to achieve the intended purpose (preventing and detecting potential fraudulent activities) and is beneficial for customers and website users. It enables necessary measures to protect them from illicit activities such as fraud attempts by third parties, protects the Controllers from the misuse of the website and its products and services, and benefits society as a whole by discouraging fraudulent activities and ensuring they are detected when they occur

Difusión del contenido de los usuarios que previamente hayan mencionado o etiquetado al parque en redes sociales

Si usted comparte contenido en sus redes sociales y menciona la cuenta de usuario del parque (por ejemplo, nos mencionas en stories o en posts…), podremos tratar tus datos personales para promocionar la imagen del parque en sus perfiles de redes sociales compartiendo dicha publicación donde mencionas al parque.

Le informamos que no controlamos el tratamiento de los datos personales de los usuarios de las redes sociales donde el parque tiene cuenta registrada (Facebook, Twitter, Instagram y Tik Tok). Para obtener más información sobre cómo y con qué fines el proveedor de redes sociales recopila y trata datos personales, y sobre los derechos y opciones de los usuarios para proteger la privacidad, consulte las políticas de privacidad aplicables del proveedor de redes sociales.

• Categoría de datos personales tratados: cuenta de usuario, imagen y/o voz del usuario de la red social y/o de aquellos terceros que puedan aparecer en su publicación.
• Base de legitimación: este tratamiento sólo se llevará a cabo si usted presta voluntariamente su consentimiento expreso al responder de manera afirmativa al mensaje directo enviado desde el perfil de la red social de los Responsables. Le recordamos que, además del resto de derechos que le concede la normativa de protección de datos, en cualquier momento también puede retirar su consentimiento para que borremos la publicación, bien conforme a lo dispuesto en el apartado “¿Cuáles son sus derechos cuando nos facilita sus datos personales?” que se incluye en esta Política de Privacidad, o bien mediante mensaje directo enviado a nuestro perfil de la red social donde hayamos compartido dicho contenido

Use of Cookies and Similar Technologies

The Controllers use first-party and third-party cookies and similar technologies (HTTP Cookies, Pixel Tracker, and Local Shared) through this website. As a result, they process, store, and share users' information and personal data while they browse the site, in accordance with specific purposes and configuration parameters that are always made available to users.

You can find all the information regarding the use of cookies and similar technologies on this website, the personal data processing that results from it, and how to manage your consent in our Cookies Policy.

Depending on the purpose for which we process your personal data, the applicable retention criteria are as follows:

• Management of the contractual relationship for the purchase or reservation of products and services: While the contractual relationship with you remains in effect due to the purchase or reservation of products and services.
• Customer service: For as long as necessary to process and respond to your request, complaint, incident, or claim.
• Sending commercial communications, including personalized communications, about our own products and services, those of other companies in the Parques Reunidos Group in Europe and other third-party collaborators: Until you withdraw the express and informed consent you previously provided, request to unsubscribe through the means provided in each commercial communication you receive, or exercise your right to erasure, objection, or your right not to be subject to automated decisions, including profiling. In such cases, your personal data will no longer be processed for this purpose.
• Anonymization of Personal Data for Research, Market Analysis, and Customer Experience: The information processed for this purpose is anonymized and cannot be linked to your other personal information. However, if you request the erasure of your data or object to the processing before anonymization, your data will no longer be processed for this purpose.
• Compliance with legal obligations: Personal data will be retained in a blocked state for as long as legal liabilities may arise for the Controllers in relation to their legal obligations.
• Prevention and detection of potentially fraudulent activities: Until any detected fraudulent activities are resolved, after which the data will remain blocked as long as legal liabilities may arise for the Controllers as a result.
• Cart management and recovery: For a maximum of 30 days, unless you withdraw your express consent or request to unsubscribe from abandoned cart reminders beforehand. In such cases, your personal data will no longer be processed for this purpose.
• Dissemination of the content of users who have previously mentioned or tagged the park on social networks: depending on the type of publication, personal data will be retained according to the following criteria: (i) in the case of publications shared on our stories, personal data will be processed for twenty-four (24) hours, being subsequently deleted without the possibility of recovery; (ii) in the case of publications shared on our feed, personal data will be processed until the user withdraws their consent to their data being published, without affecting the lawfulness of the processing based on consent prior to its withdrawal.
• Use of cookies and similar technologies: The information will be processed for as long as the consent granted by users for the installation of cookies on their devices remains valid. If users do not revoke this consent through the mechanisms provided in our Cookies Policy, the information will be retained for the duration of the validity period of the installed cookies or similar technologies.

In any of the above cases, once the personal data is no longer relevant for the collected purposes or, where applicable, you withdraw your consent or exercise your right to erasure or objection regarding the indicated processing activities, the Controllers may retain the data in a blocked state (meaning that the personal data will be identified and reserved, with technical and organizational measures implemented to prevent its processing, including its visualization). This ensures that the data remains available, if necessary, to competent public authorities, particularly the relevant Data Protection Supervisory Authority, Courts, Tribunals, or the Public Prosecutor’s Office, for the duration of the statute of limitations of any legal actions that may arise from the relationship with you or the processing of your personal data, as well as for the legally established retention periods in accordance with European Union law and/or applicable domestic regulations. Once these periods expire, your personal data will be permanently deleted without the possibility of recovery.

Your personal data may only be shared with competent Public Authorities, particularly the competent Data Protection Supervisory Authority, Judges, Courts, or the Public Prosecutor’s Office, if necessary to address potential legal liabilities or comply with legal retention periods, in accordance with European Union law and/or domestic legal regulations.

Additionally, the Controllers work with service providers who may also process your personal data to provide services related to the purposes for which you are being informed. These providers operate in sectors such as (but not limited to) information security, customer relationship management (CRM), technology, legal advisory, marketing, customer service, multidisciplinary professional services, IT services, etc. These providers will only access your personal data to perform their services on behalf of and under the instructions of the Controllers, ensuring that they never use such data for their own purposes or any unauthorized purposes.

Among these providers is Salesforce, which provides services related to the CRM and marketing cloud platform and has companies worldwide. This provider will act on our behalf and under our instructions within the European Economic Area (EEA) in compliance with applicable European data protection regulations. However, in exceptional cases—such as a disaster recovery situation (a process to recover data and functionalities in the event of a system disruption caused by a natural or human-made disaster)—Salesforce may also provide its services through companies located outside the EEA. In such cases, it may be necessary to process your personal data in countries that do not offer a level of protection equivalent to that provided under European data protection regulations (for example, in the USA).

Nevertheless, even in this scenario, the Controllers have entered binding contractual commitments with Salesforce and ensured the implementation of appropriate security measures to guarantee that your personal data is always processed with an adequate level of protection, equivalent to the standards required within the EEA. These measures include standard contractual clauses approved by the European Commission under the General Data Protection Regulation (GDPR), additional security measures and adherence to certification mechanisms.

For further information or to exercise any of the rights granted to you under data protection regulations, please do not hesitate to contact the Controllers as described in the section ‘What are your rights when you provide us with your personal data?’ included in this Privacy Policy.

If you expressly consent to receiving commercial communications from the Parques Reunidos Group companies, please note that these companies are located within the European Union and primarily engage in the management and operation of amusement parks, water parks, zoos, aquariums, leisure centers, and travel agency activities, including offering hotel and theme park packages. Specifically, these companies include:

• Spanish Companies of Parques Reunidos Group: Parques Reunidos Servicios Centrales, S.A. (Bono Parques); Parque de Atracciones Madrid, S.A.U. (Parque de Atracciones Madrid); Madrid Theme Park Management, S.L.U. (Parque Warner y Parque Warner Beach); Gestión Parque de Animales Madrid, S.L.U. (Faunia); Zoos Ibericos, S.A. (Zoo Aquarium Madrid); Parques de la Naturaleza Selwo, S.L. (Selwo Aventura y Hotel Selwo Lodge); Aquópolis Cartaya, S.L.U. (Aquópolis Cartaya); Leisure Parks, S.A. (Aquópolis de Villanueva de la Cañada, Aquópolis Costa Dorada - Vilaseca, Costa Dorada-,  Delfinario Costa Dorada – Vilaseca, Costa Dorada, Selwo Marina, Aquópolis de Cullera, Aquópolis de Torrevieja, Teleférico de Benalmádena); Mall Entertainment Centre Acuario Arroyomolinos, S.L.U. (Atlantis Aquarium); Travelpark Viajes, S.L.U. (products and services related to joint entry packages to Parques Reunidos Group parks and leisure centres in Europe and hotel accommodation bookings).
• Rest of the Companies of Parques Reunidos Group in Europe: Italia - Parco della Standiana S.R.L (Mirabilandia y Mirabeach) y Travelparks Italy, S.R.L.( (productos y servicios relacionados con paquetes conjuntos de entrada a parques y centros de ocio del Grupo Parques Reunidos y reserva de alojamiento en hoteles); Noruega - Tusenfryd A/S (Tusenfryd) y Bø Sommarland AS (Bo Sommarland); Bélgica - Bobbejaanland, B.V.B.A (Bobbejaanland); BonBon-Land A/S (BonBon -Land); Alemania - Movie Park Germany GmbH y Movie Park Germany Services GmbH (Movie Park), Event Park GmbH (Belantis), Nature Park Germany GmbH (Vogelpark Walsrode), Tropical Island Management (Tropical Island) and TI Hotel Asset GmbH (Tropical Island Hotels); Países Bajos - Attractie- en Vakantiepark Slagharen B.V. (Slagharen y Slagharen Beach); Francia - Marineland SAS (Aquasplash y Adventure Golf), Marineland Resort SAS (So.Blue Hôtel); Inglaterra - Grant Leisure Group LTD (Blackpool Zoo), Real Live Leisure Company LTD (The Bournemouth Aquarium y Aquarium of the lakes) and Lakeside Mall Entertainment Centre Limited (Nickelodeon Adventure-Lakeside). 

You may exercise your right to access, rectification, objection, restriction, portability, and, where applicable, not to be subject to automated individual decision-making, including profiling, by submitting a written request addressed to the DPO at the postal address: Calle Federico Mompou 5, Parque Empresarial “Las Tablas,” Edificio 1 – 3rd Floor, 28050, Madrid, Spain, or via email at dpo@grpr.com. If there are reasonable doubts regarding the identity of the data subject, a copy of an official document (ID card, NIE, or passport) may be requested to process the request.

Regarding processing based on your consent, please note that you may withdraw your consent or object to processing at any time by following the procedure described in the previous paragraph. Additionally, if you have expressly consented to receiving commercial communications, we also provide you with the option to unsubscribe using the means available in each commercial communication you receive.

Furthermore, when applicable, you may also request not to be subject to individualized decision-making based solely on automated processing of your personal data for profiling purposes. You may also request human intervention, express your viewpoint, clarify any doubts, or challenge such decisions by submitting your request to the DPO following the procedure described in the previous paragraph.

The personal data processed by the Controllers is provided directly by you as the data subject through this website and/or during your relationship with us.

If you provide personal data from third parties, you must obtain their explicit and informed consent before sharing their personal data with the Controllers, in accordance with the provisions described in this Privacy Policy.

If it is necessary to provide the Controllers with information about allergies and/or intolerances (for example, to configure menus for an event or activity previously booked by you), please ensure that you only provide the number of people and the type of allergy and/or intolerance, without including any personal data that could individually identify the person with the allergy or intolerance.

Minors under fourteen (14) years of age are not permitted to purchase or book any of the products or services offered on this website.

Notwithstanding the above, if, as a result of purchasing or booking any of the products or services offered through this website (e.g., birthday or communion celebrations), you freely and voluntarily decide to provide personal data of a minor under fourteen (14) years of age (e.g., to personalize the space where the contracted services will be provided), you, as the holder of parental authority or legal guardian of the minor, must provide explicit and informed consent for the Controllers to process the minor’s personal data within the contractual relationship established with you as a result of the purchase or booking of such products or services, in accordance with the provisions of this Privacy Policy.

You may file a complaint with the Spanish Data Protection Agency if you believe your rights have been violated. However, we recommend that you first contact the DPO via email at dpo@grpr.com or by post at Calle Federico Mompou, 5, Parque Empresarial "Las Tablas," Edificio 1 - 3rd Floor, 28050, Madrid, Spain, so we can assist you with your request and address any concerns regarding the processing of your personal data.

Privacy Policy updated in February 2025