Personal data policy



Last update: [21/03/24] 

 

Protecting our customers’ personal data is one of our core concerns. 

 

This document applies to data that we collect online, on our websites and mobile apps, as well as to data that we collect offline in our theme parks, shops and hotels or at events. 

 

We would like to provide you with all the information you need to understand how your data is used: 

1. Who is responsible for the use of your data? 

2. With whom is your data shared? 

3. When is your personal data collected? 

4. What data do we collect? 

5. How do we use your data and how long do we keep it? 

6. Are there any specific measures for children? 

7. Where is your personal data stored? 

8. How is your data kept secure? 

9. What rights do you have over your data? 

10. Do you have a question? Contact us! 

 

1. Who is responsible for the use of your data?

 

 When you book and/or access our services, your personal data is processed by: 

- Compagnie des Alpes, the parent company of the Compagnie des Alpes Group, with capital of €25,266,567.50, registered on the Paris Trade and Companies Register under number 349 577 908, having its registered office at 50-51 boulevard Haussmann 75009 Paris, 

And, 

- Grévin et Compagnie, an affiliated company of the Compagnie des Alpes Group and operator of the Parc Astérix theme park, with capital of €52,913,012.57, registered on the Compiègne Trade and Companies Register under number 334 240 033, having its registered office at BP8, 60128 Plailly. 

 

In this policy, ‘we’ or ‘us’ refers to these two companies, which may act together as joint data controllers for the processing activities referred to below. 

Although Compagnie des Alpes is responsible for managing and supervising the computer system used to collect and process your data, it is the sole responsibility of Grévin et Compagnie, as an independent data controller, to manage the contractual relationship with you, provide you with the services you have ordered, and carry out marketing and advertising operations for its services and brands. 

 

2. With whom is your data shared? 

 

Internal recipients within the Compagnie des Alpes Group: 

 

Your data is processed jointly by Grévin et Compagnie and Compagnie des Alpes, the parent company of the Compagnie des Alpes Group. 

 

Within these two companies, your data is only accessible to a limited number of people in specific departments (customer services, sales, IT, hotel staff, etc.), only if access to the data is necessary for the purposes of their duties. 

 

On the other hand, your data is not shared with other companies in the Compagnie des Alpes group unless you have expressly authorised it or you are a business client (e.g. tour operator, distributor, social and economic committee, etc.). 

 

For our business clients, unless you object to this processing, your data may be shared with other companies in the Compagnie des Alpes group operating theme parks, to enable you to receive our offers on all products likely to be of interest to you. 

The list of companies concerned is as follows: 

- Chaplin’s World – By Grévin (Geneva Companies Register CH-660-0618000-4) 

- Family Park – M. Müller Gesellschaft m.b.H. (FN 126549 b) 

- France Miniature (Versailles Trade and Companies Register 348 677 196) 

- Futuroscope (Poitiers Trade and Companies Register 444 030 902) 

- Musée Grévin (Paris Trade and Companies Register 552 067 811) 

- Walibi Belgium and Bellewaerde – Belpark (Ypres Companies Register 0439 050 308) 

- Walibi Holland – Harderwijk Hellendoorn Holding (KvK 34161632) 

- Walibi Rhône-Alpes – Avenir Land (Vienne Trade and Companies Register 311 285 068) 

 

Recipients outside the Compagnie des Alpes Group: 

 

Your data may also be shared with recipients outside the Compagnie des Alpes Group: 

 

- With all our technical service providers whose involvement is necessary to carry out the processing activities mentioned below (IT service providers, payment service providers, printers, etc.), in order to process your order and improve our services, exclusively within the limits of our instructions; 

 

- With social networks, only if you choose to create your customer account via the quick ‘social login’ procedure. If you choose this option, you will be able to use your Facebook, Apple or Google account to register on our website, without having to re-enter your details. By using this function, you agree to share certain information about yourself, from your social network, with us. The information sent to us by the social network is your surname, first name and email address. This information is required to create your customer account. We do not share information with social networks about your activities and orders on this website. However, these networks will have information relating to connections to your account. Before using ‘Social Login’, we invite you to read the privacy protection policies of the social networks so that you are aware of how they use your data. 

Facebook

Apple

Google

 

- Where applicable, with national or local authorities, if required by law or as part of an investigation and in accordance with the regulations. 

 

3. When is your personal data collected? 

 

We may collect your personal data on various occasions: 

 

Online: 

 

On our website or mobile app, to receive our newsletters, or to log in to your account, place orders or use our digital services. 

 

In our theme parks: 

 

While you’re enjoying our facilities, on your own or with your loved ones: taking photographs, disabled access, access to discounted rates, public Wi-Fi, equipment hire, video surveillance, staying in our hotels. 

 

When we interact with you: 

 

When you open or reply to a newsletter, take part in a satisfaction survey or take part in a competition. When you call Customer Services with a complaint.

 

Via our Partners: 

 

When you access our services through an intermediary (e.g. travel agencies, partner distributors). 

 

4. What data do we collect? 

 

We only collect the data that is strictly necessary for the use, and no more! 

Depending on your journey through our park or on our websites, we may collect the following information: 

- The information needed to create your customer account (title, surname, first name, e-mail address, date of birth) 

- Payment information 

- Postal address 

- Telephone number 

- Date of birth 

- Photography 

- Browsing data (on this subject, see our information about cookies

- Geolocation (mobile app only) 

- Passport, identity card for hotel reservations 

- If necessary, and depending on the product subscribed to, the names and e-mail addresses of your relatives for groups and families 

- Supporting documents for discounted rates or priority access, the conditions of which are detailed on our website. You will be asked to show original supporting documents at our ticket offices. A copy of this supporting document may be made solely for the purposes of combating fraud. 

 

5. How do we use your data and how long do we keep it? 

 

At the end of the retention periods defined below, we delete your data from our systems or make it anonymous so that it can no longer be used to identify you. 

 

Processing activitiesLegal groundsData retention periods

Customer account

 

Contract performance

 

For as long as your customer account is active, and up to two years after the last login to your account. Processing orders and bookings Contract performance For online purchases: for five years from the date of purchase if the value of the order is less than €120, for ten years if the value of the order is €120 or more (and for five years for transactions at the ticket office). The data linked to your bank card is kept for 13 months by our payment service providers after the last debit date for proof purposes in the event that the transaction is disputed (15 months for deferred debit payment cards). The security code (CVV) is not kept after the transaction.

 

 

Hotel stays (access to rooms, VIP services) 

 

Contract performance

 

For the duration of your stay.

 

 

Staying in hotels: police form

 

Legal obligation

 

Six months.

 

 

Personalising hotel reception services

 

Legitimate interest for managing our business and providing you with the products and services you request

 

For the duration of your stay.

 

 

Satisfaction surveys

 

Legitimate interest

 

Time required to achieve the survey objective, then anonymised.

 

 

Competitions

 

Running the competition

 

Six months from the end of the competition.

 

 

Sending out newsletters/prospecting campaigns by e-mail or SMS. If you have also accepted cookies, you may also receive shopping basket reminders by e-mail if you have not completed a purchase.

 

Consent or legitimate interest if you are a business client or if you have purchased a product on our website or mobile app

 

Five years for prospects and customers, from the date of your last contact with us (e.g. a request for sales documentation, a click on a hyperlink contained in our newsletter).

 

 

Complaints handling and after-sales service

 

Contract performance

 

Five years after the complaint has been closed.

 

 

Drawing up statistics

 

Legitimate interest 

 

Time required to achieve the objective of the statistics, then anonymised.

 

 

Copy of supporting documents for discounted and special rates

 

Legitimate interest (combating fraud)

 

24 hours after collection.

 

 

Personalising browsing/profiling

 

Consent

 

12 months.

 

 

Using the public Wi-Fi that we make available to you

 

 Legal obligation

 

One year (retention of technical connection data).

 

 

Recording telephone calls to customer service

 

Legitimate interest

 

Verbal conversations are recorded at random (sampling) and kept for six months.

 

 

Photographs for annual passes

 

Contract performance

 

Six months after the annual pass expires (if the pass is renewed, the photograph may be kept and reused).

 

 

Taking photographs on attractions

 

Contract performance

 

On the day of the visit only, and if the photograph is purchased: Once month from the date of purchase.

 

 

Photographs taken at our photobooths

 

Consent

 

The day of the visit only.

 

 

Rental management (pushchair, wheelchair, Filotomatix telephone, mobility scooter)

 

Contract performance

 

Pushchair: day of the visit.

Filotomatix telephone: 1 months.

Wheelchair: 10 days.

Mobility scooter: 10 days.

 

 

Pet care

 

Contract performance

 

The day of the visit.

 

 

Allocation of Accessibility Passes to people with disabilities

 

Contract performance

 

The day of the visit.

 

 

Managing taxi requests

 

Contract performance

 

The day of the visit.

 

 

Managing deposits

 

Contract performance

 

The day of the visit.

 

 

Managing lost property

 

Contract performance

 

Items containing personal data (identity documents, telephones, etc.) are kept for two months and then handed over to the relevant authorities. Return, loss and custodian declarations are kept for one year.

 

 

Video surveillance

 

Legitimate interest 

 

Seven days after images are recorded.

 

 

Geolocation (on the mobile app)

 

Consent

 

For the duration of use of the mobile app (data is only stored on the visitor’s handset).

 

 

Priority access at attractions – generation and queue monitoring

 

Contract performance

 

The time required to perform the service. 

 

 

Transfer of image rights

 

Contract performance

 

Five years after the end of the transfer period.

 

 

Firs aid for visitors

 

Safeguarding the person’s vital interests

 

Bodily injury: up to ten years from the date of injury. In the event of damage to the property: for five years.

 

 

Exercising your GDPR rights

 

Legal obligations

 

Ten years after the request is closed. Where proof of identity has been required, it will be deleted as soon as verification has been completed.

 

 

Litigation management

 

Legitimate interest

 

Until all avenues of appeal have been exhausted.

 

 

Job application

 

Legitimate interest

 

Two years after data collection for unsuccessful applications.

 

 

Cybersecurity – Vulnerability reporting 

 

Legitimate interest

 

Six years from receipt of the declaration of vulnerability

 

 

Focus on profiling to personalise our content: 

 

We are able to personalise the display of content on our website and send you newsletters or push notifications to your mobile phone that are tailored to your needs. 

 

We implement this personalisation solely on the basis of the information we have collected directly from you during your purchases (and only this information), and your browsing data on our website or our mobile app, once you have accepted cookies. 

 

This information also enables us to target our advertising campaigns on third-party sites (e.g. social networks) better so that they match your interests more closely. 

 

The data used for this profiling is based on: 

- A maximum five-year history of your customer account data; 

- A maximum 12-month history for browsing data on our website and/or mobile app. 

 

6. Are there any specific measures for children? 

 

Although the family aspect of our activities is at the heart of our concerns, we do not process any data specifically relating to children. 

 

If a person under the age of 15 uses our services, we recommend that they are supported by an adult. If necessary, the consent of parents or legal guardians may be obtained at the time the data is collected. 

 

7. Where is your data stored? 

 

All your personal data is stored exclusively on servers located in the European Union or in countries offering an ‘adequate’ level of protection (e.g. the United Kingdom, Switzerland). 

 

Although this data is hosted in the European Union, it may be accessible from third countries when we use technical service providers (e.g. AWS, Adobe, Microsoft, Google) that are based abroad (i.e. United Kingdom, United States, Israel). Access from these countries is considered as a data transfer, but is necessary for the smooth operation and maintenance of the IT tools they offer. These service providers have real expertise that justifies their involvement.

 

We do everything we can with these service providers to ensure that your data is protected in accordance with European regulations. These service providers only act in accordance with our instructions. Contracts are systematically signed with the latter, and transfers of personal data are governed by enhanced contractual clauses specifically designed for this purpose (standard contractual clauses – SCCs – published by the European Commission) where the laws of the country concerned do not offer protection equivalent to the GDPR (so-called ‘adequate’ countries). Where necessary, additional technical or legal measures are put in place. 

 

8. How is your data kept secure? 

 

The security of your personal data is a core concern for the companies in the Compagnie des Alpes Group, which pool their resources to ensure that you benefit from an appropriate level of security that is up to date with industry standards. 

 

In order to preserve the confidentiality and security of your personal data, and in particular to protect it against any unlawful or accidental destruction, accidental loss or alteration, or unauthorised disclosure or access, the Compagnie des Alpes Group takes the appropriate technical and organisational measures, and requires that its data processors meet the same high standards. These measures are adapted to the sensitivity of the data processed and the level of risk. 

 

The Compagnie des Alpes Group has put in place procedures to detect, analyse and monitor security incidents and any suspected breach of your personal data, and to be able to block access to the data at any time. Procedures for managing personal authorisations have also been put in place to ensure that access to data is as restricted as possible. 

 

Despite our efforts, vulnerabilities may still exist in our systems. If you think you have detected a vulnerability, please contact us using this form (vulnerability disclosure page), observing the principles described there. 

 

9. What rights do you have over your data? 

 

You have a number of rights in relation to your personal data held by us: 

 

- The right to object: You no longer wish to receive our sales communications and wish to object to a decision linked to your profiling, or withdraw consent 

- The right to rectify your data: moving house? changing email address? let us know by keeping your details up to date! 

- The right to access your data: you may request a copy of all your personal data held by us, in a comprehensible format. 

- The right to erase your data: You wish to delete your entire customer account and erase all your personal data in our possession. We will comply with your request, with the exception of accounting and tax records relating to your transactions, as well as those required to create our evidence files (in the event of any legal proceedings), which must be kept.

- The right to freeze the use of your data: if you are faced with a litigious situation and wish to prevent the deletion of your data, your data will be retained without being used. 

- The right to port your data: You want to recover some of your data. You are then free to store it elsewhere or transfer it easily from one system to another, so that it can be re-used for other purposes. 

 

You will find all our contact details below in order to exercise these rights. 

 

10. Do you have a question? Contact us! 

 

Do you have a question? Would you like to stop receiving our newsletters? Delete your account? 

 

We have appointed a Data Protection Officer to answer all your questions and ensure the protection of your personal data. 

 

To contact them, please click here

 

Please fill in the form for this purpose and your request will be processed within one month. For mobile apps, don’t forget that you can change your authorisations at any time from your phone’s settings, for each of your apps. 

 

You can also contact them at: 

 

- By post at the following address: Grévin et Compagnie, Service Protection des Données, BP 8, 60128 Plailly, France; 

 

Or 

 

- By email at the following address: privacy@parcasterix.com 

 

If there are serious doubts about your identity, and if there is no other way, you may be asked to provide proof of identity to process your request, simply to ensure that we are dealing with the right person. 

 

If, despite our efforts, you feel that our response is incomplete, you can contact the French data protection authority (CNIL) https://www.cnil.fr/fr