HomeKnowledge base › Theme parks and visitor data
Leisure

Theme parks: destroying visitor data

A theme park's visitor data and season passes ready for confidential destruction

A theme park processes the data of everyone who comes through the gate. Tickets and season passes, sometimes with a photo, online order and payment data, CCTV footage in the park, reports of lost children or medical incidents and the data of permanent staff and seasonal workers. Part falls under the tax retention obligation, part is sensitive and part should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.

The quick answer: payment and invoicing data falls under the tax seven years. CCTV footage you keep briefly. Reports of lost children or medical incidents are sensitive and go as soon as possible. Tickets and season passes you keep no longer than the season and its settlement require. What may go disappears confidentially and with a certificate.

Which visitor data does a theme park process?

At a theme park several types of data run together. A single day ticket is different from a season pass with a name and photo. An online order with payment data is different from a CCTV image at the roller coaster. A report of a lost child or a medical incident is more sensitive than an ordinary reservation. If you treat the data per type, you keep exactly what you must and clear out the rest on time.

The common thread is purpose limitation. You keep a piece of data for as long as the purpose you collected it for runs, plus any statutory period. As soon as that purpose has been met and no other ground applies, the data should go. For a theme park with a seasonal peak that means a fixed clear-out moment after the season ends.

Retention periods by part

The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the moment the purpose has been met.

PartStarting pointPeriod
Payment and invoicingTax retention obligation7 years
Tickets and season passesPurpose-boundseason + settlement
Photo on season passSensitive, storage limitationvalidity of the pass
CCTV footage in the parkAs briefly as possibledays to a few weeks
Lost children and incidentsSensitive, storage limitationas briefly as possible
Staff and seasonal workersHR and taxsee personnel file
Correspondence and draftsNo retention obligationclear out at once

Use this as a guideline, not a substitute for your own assessment. When in doubt, consult your privacy adviser. A full overview per document type is in the GDPR retention periods cheatsheet.

Season passes with a photo: be restrained

A season pass with a name and photo is handy against misuse, but it also creates a collection of identity data. A photo is personal data and, depending on how you use it, can be biometric in nature. So keep the photo only while the pass is valid and clear it out confidentially afterwards. Do not ask for more imagery than the pass needs and do not link the photo to data that has nothing to do with it.

If you ask for a copy of an identity document at purchase, be extra critical about that. A copy contains a national ID number and more than you need. How to clear such a copy safely is in safely destroying passport and ID copies.

Online order and payment data

Many visitors now buy online in advance. With that you process name, address, email and payment data, just like a webshop. The payment and invoicing side falls under the seven-year tax retention obligation. The rest of the order data you keep no longer than necessary for the settlement and any warranty or complaint period. The approach is comparable to that of a webshop destroying customer data.

Lost children and medical incidents

A theme park regularly makes reports of lost children or medical incidents. Those are sensitive data, because they concern vulnerable situations and sometimes health. Use these reports only to handle the incident, keep them recognisably separate from the ordinary administration and destroy them as soon as the purpose has been met and no complaint or dispute is in play. Keeping them to come in handy one day is not a valid ground.

CCTV footage in the park

CCTV footage of queues, attractions and the grounds falls under the GDPR. You keep it as briefly as possible, usually a few days to a couple of weeks, unless a concrete incident justifies keeping it longer. Once the period has passed the footage is overwritten or destroyed. If an old recorder or hard drive leaves the building, have it destroyed as a data carrier. The full approach is in CCTV footage: retention period and destruction.

Staff and seasonal workers

A theme park runs on many temporary workers during the season. Their personnel files have their own retention periods, partly tax and partly from employment law. Clear out application data of rejected candidates on time and keep contracts and payroll records for the applicable period. Seasonal workers too are entitled to careful processing and timely clean-up of their data.

How to handle it in 6 steps

  1. Split the data into payment, tickets, CCTV footage, incidents and staff.
  2. Limit photos and identity data to what the pass really needs.
  3. Treat incident reports separately and clear them out once the purpose has been met.
  4. Keep CCTV footage briefly for a fixed period.
  5. Collect what may go in sealed containers, not in the paper bin.
  6. Have it destroyed confidentially with a certificate and record it in your register.

Destroy confidentially with a certificate

Visitor data is destroyed confidentially, because it contains identity, payment and sometimes health data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old till computer, recorder or backup with visitor data belongs with it too. That way you avoid loose boxes of season passes or incident reports lying around somewhere.

Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.

Visitor data to be destroyed?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.

Request a quote

Common mistakes

  • Keeping photos from expired passes. Clear them out once the pass is no longer valid.
  • Filing incident reports with the ordinary administration. Those need extra care and timely destruction.
  • Keeping CCTV footage too long. Without a concrete reason it goes quickly.
  • Throwing away unshredded. A season pass or incident report on the street is a reportable data breach.
  • Keeping no proof. Without a certificate you cannot demonstrate the destruction.

Frequently asked questions

How long does a theme park keep ticket and season pass data?

Ticket and season pass data you keep no longer than the season and its settlement require. Payment and invoicing data falls under the seven-year tax retention obligation. Other visitor data you clear out as soon as the purpose has been met.

May a theme park keep a photo on the season pass?

A photo on a season pass is personal data and can be biometric in nature. Keep the photo only while the pass is valid and clear it out confidentially afterwards. Do not ask for more imagery than the pass needs.

What do I do with reports of lost children or medical incidents?

These reports are sensitive. Use them only to handle the incident, keep them recognisably separate and destroy them as soon as the purpose has been met and no complaint or dispute is in play.

How do I destroy visitor data in line with the GDPR?

Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.

Conclusion

A theme park works with identity, payment and sometimes health data of every visitor, from a single day ticket to a sensitive incident report. Keep the payment administration seven years, be restrained with photos, clear out incident reports once the purpose has been met and keep CCTV footage brief. What may go you have destroyed confidentially with a certificate as proof. That way you protect your visitors' data and meet the GDPR.

Read also: cinemas and theatres: destroying visitor data, sauna and wellness: destroying customer data, casinos and arcades: destroying customer data and event agencies: destroying attendee lists.


Have visitor data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.