Just addressing the concern that a publicly traded company like Merlin would make a GDPR compliant website to avoid the hefty fines, and not just blindly ask for email addresses:
The website you guys were referring to earlier added this - https://www.project-zero.info/priv
One more thing, I submitted one of my spam email addresses to see what this supposed 'Project Zer0' website would send, as I was still extremely sceptical. It appears that this 'company' owns office space in Staines opposite the Shell petrol station and not to far from Staines National Rail station, obviously therefore not too far from the resort. I've attached the information from the email here - http://prntscr.com/jqt35m
I don't know if this helps legitimise this rumour in any way, but thought it seemed pertinent to the discussion
Let me know what you think!