Privacy and Cookie Policy Quinta do Zambujeiro

Your privacy is important to us therefore we present you this document explaining our privacy and cookie policy about how your data is collected and used, giving you the opportunity to opt out in case you are not willing to share this information with us. Please read this document carefully.

 

What information do we collect

We may request personal identification information when you request information, subscribe to our newsletter and/or participate in certain other activities. It is up to you if you want to proceed in any activity that requires this personal information. In case you do not want to provide this information however, it might be possible you might not be able to proceed or complete the transaction.
When you visit our website we will collect information as your IP address, domain name etc. This information together with the data you provide, allows us to customize your visits better.

 

Who has access to your personal information and to what extend

To ensure the security of your personal information your information is only stored on a secure network that can only be accessed by a limited number of people with special access rights and who respect and maintain the confidential nature of this information.
Even though we undertake all the measures and protections, there will always be a risk that your information might be intercepted and used by third parties outside our control. We will never sell, exchange or transfer your personal information in any shape or form with third party subcontractors, other than when an additional service on your behalf is necessary. In this case we require to use this personal information only on behalf of Quinta do Zambujeiro´s requested service. At any time, you may choose to opt out of sharing your personal information with third parties. Such a request can be made by email or through our website.

 

Use of information collected

The information collected on our website is/can be used as follows:

▪ To help us better our service and create a better, more customised service

▪ To help us create better content

▪ To offer you special offers that might be of interest to you

▪ To provide you with updates, new products, services, newsletters, informational emails etc

▪ To allow you to download documents and or get access to certain parts of our website

▪ To help you quickly find information on our website and for a better user experience

Depending on the type of information we may store this data from 1 session to 6 months. For eventual 3rd parties, like a vídeo that can be accessed through our site on YouTube, some of your data might be stored on their side. It is your responsibility to check on the terms and conditions of this 3rd party and whether or not you agree. Quinta do Zambujeiro does not accept any responsibility for this.

 

Cookie Policy

Quinta do Zambujeiro – Produção e Comércio de Vinhos Unipessoal, Lda uses cookies on her website. These cookies allow a website to customise the information presented to you, based on your browsing history. This allows us to personalize your pages or to remember you when registering products or services. If you don´t want this, you can opt out by clicking the reject button for cookies. Be aware, rejecting may affect your ability to use some of the services on our website. Cookies are also used to optimize the content, navigation and the performance of our website.

 

Links on our website of third parties

In case we have third party links on our website to provide you with information, we suggest you read their Privacy and cookie policy as Quinta do Zambujeiro – Produção e Comério de Vinhos Unipessoal, Lda cannot be held responsible for the content and activities of these companies.

 

Cancellation or opting out

In case you do want to review, change or delete your personal information you can email us or contact us through our website at any time. After verification of your identity, we will change or delete your personal information as requested.

 

Changes in policies and procedures

We reserve the right to make any changes or updates to this policy, being it to changes in the legislation or in order to cover new developments. We require you to visit this policy on a regular basis, as such changes may affect you as a visitor to our website.

 

Contact us

For any questions regarding this Privacy and Cookie policy, or to make a complaint, please contact us through one of the means below:
Quinta do Zambujeiro – Produção e Comério de Vinhos Unipessoal, Lda
Monte do Zambujeiro
7150-343 Rio de Moinhos, Borba
Portugal
Tel. +351 268 801 431
Email: info@quintadozambujeiro.com

Data Protection/Privacy Policy

QUINTA DO ZAMBUJEIRO is committed to maintaining levels of Personal Data protection in line with best practices that, at a minimum, fulfil the requirements of Applicable Data Protection Legislation and our contractual obligations.

As part of this commitment, QUINTA DO ZAMBUJEIRO requires its members and any third parties contracted or providing goods and/or services to us (including suppliers, subcontractors and service providers) to take appropriate measures to safeguard Personal Data in the performance of their duties.

We therefore issue this Data Privacy Policy (‘Policy’) to inform you about how and why we collect and Process your Personal Data, our privacy practices and your rights as Data Subjects with respect to the Processing of your Personal Data.

For the purposes of this Policy, the following definitions apply:

‘Applicable Data Protection Legislation’ refers to:

(i)                  the European Data Protection Regulation 2016/679 on the Processing of Personal Data and

(ii)                any laws implementing the EU Data Protection Regulation and

(iii)               any applicable local laws relating to the Processing of Personal Data.

 

‘Controller’ means any entity (i.e. natural or legal person, public authority, agency or other body) which, alone or jointly with other Controllers, determines the purposes and means of the Processing of Personal Data.

‘Processor’ means any entity (i.e. natural or legal person, public authority, agency or other body) acting on behalf of and under the instructions of a Controller or another Processor to Process Personal Data.

‘Data Subject’ means an identified or identifiable natural person whose Personal Data is Processed

‘Employees’ – for the purposes of this Policy only, this means an employee, member of staff, worker, individual consultant, agent, officer or director,

‘Personal Data’ means any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to identifiers such as the natural person’s name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data includes Sensitive Personal Data.

‘To Process’, “Processing” or “Processed” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation (including remote access), use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘Sensitive Personal Data’ refers to specific categories of Personal Data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, as well as the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, health data and data concerning a natural person’s sex life or sexual orientation.

This Policy applies when QUINTA DO ZAMBUJEIRO acts as Data Controller or Processor.

It applies to the Processing of all Personal Data, regardless of the nature or category of the Personal Data, regardless of how such data is stored.

QUINTA DO ZAMBUJEIRO undertakes to Process Personal Data with the same level of protection, regardless of whether it Processes Personal Data for its own needs or for the needs of its clients or any third party.

The implementation of this Data Privacy Policy requires that all QUINTA DO ZAMBUJEIRO Members, and any third parties contracted by QUINTA DO ZAMBUJEIRO participate fully in its application, without any exception.

QUINTA DO ZAMBUJEIRO will collect and Process Personal Data relating to:

▪ Job applicants,

▪ Employees and former employees,

▪ Public and private clients and potential clients,

▪ Clients and potential clients of public and private clients,

▪ Partners,

▪ Service providers, professional consultants, suppliers, contractors and subcontractors,

▪ Any other third parties.

 

Which Personal Data do we use?

▪ Subject to Applicable Data Protection Legislation, we process all the following categories of Personal Data relating to any third party contracted or providing goods and/or services to us:

▪ identity and contact information (e.g. first name, surname, title, username or similar identifier),

▪ professional/business information (e.g. email address, employer, department, job title, telephone numbers, billing or delivery address),

▪ personal information (e.g. date of birth, personal contact details, biographies, affiliations/memberships, declared conflicts of interest, health data, diversity information),

▪ economic and financial data,

▪ location-related data,

Regarding the Personal Data of our Members or former employees we act as Data Controller, we will comply with Applicable Data Protection Laws (including, where necessary, any requirement to obtain the consent of the Data Subject or the competent representative body of employees).

We may use Personal Data to manage our business activities such as paying invoices, communicating with your business partners and potential business partners, organising meetings, business trips, visa applications, visits, asset management, and fulfilling and managing business partners’ contractual obligations.

Regarding Corporate Security and Quality Control, we provide our members with digital equipment that allows access to the Internet, email and social networks and various software applications and tools.

We trust that each Member acts responsibly and lawfully when using company property and strictly complies with all applicable codes of conduct that are issued in this regard, namely the Code of Ethics and Business Conduct, the Security and Acceptable Use Policy and the policy governing the use of third-party software.

We may process and transfer Personal Data to appropriate third parties to fulfil our policies.

When processing Personal Data of our clients, we will act as a Processor following duly documented instructions from our clients and governed by the legislation in force.

In the management of Personal Data relating to other Data Subjects (e.g. enquirers, website visitors, marketing/business contacts, potential candidates, visitors) we will normally act as Controllers in relation to such Processing operations and any third party contracted or providing goods and/or services to us will act as a Processor. We will process Personal Data only when strictly necessary and will apply other principles based on whether we act as a Controller or as a Processor.

QUINTA DO ZAMBUJEIRO will process Personal Data in a lawful, fair and transparent manner in relation to the Data Subject, in accordance with the requirements of this Policy, using data privacy notices that clearly set out the information required to comply with Applicable Data Protection Legislation.

Any Processing of Personal Data, particularly its collection, shall be preceded by the identification of the specific purpose for such Processing. This purpose must be explicit and legitimate. Personal Data may not be processed in a way that is incompatible with that purpose.

Once the purpose of the Processing of Personal Data has been established, we will only collect Personal Data to the extent necessary to fulfil that purpose.

Each instance of Data Processing shall be reviewed as part of the initial solution design phases and included in the Data Privacy and Security review and approval process or otherwise to ensure that Personal Data is adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.

Throughout the lifecycle of any Processing of Personal Data, we will ensure that the Personal Data collected remains accurate and up to date.

All reasonable steps will be taken to ensure that inaccurate Personal Data is erased or rectified without delay including, but not limited to, self-service options for Data Subjects. We will provide adequate means for Data Subjects to inform us in the event of any changes to their Personal Data.

We will ensure that we do not keep Personal Data for longer than is strictly necessary to fulfil the purpose for which the Personal Data is collected.

We will therefore determine an appropriate retention period before the processing takes place, considering the time during which the Personal Data is necessary to fulfil the purpose of the Processing, considering the following factors:

The period after which the retention of such Personal Data may have an impact on the Data Subjects’ rights to be forgotten; and

Any legal obligations imposing a minimum data retention period. Data Processing may only be carried out when it falls within one of the circumstances identified below:

▪ It is necessary to fulfil an applicable legal obligation

▪ It is necessary for the performance of a contract, or

▪ It is necessary for our legitimate interest.

▪ It is being understood that this legitimate interest of QUINTA DO ZAMBUJEIRO must be assessed in relation to the interests of the Data Subjects:

– The Processing is necessary to achieve the interest pursued by QUINTA DO

ZAMBUJEIRO without adversely affecting the interest and/or privacy of the Data

Subject.

– QUINTA DO ZAMBUJEIRO’s interests are not overridden by the fundamental rights

or interests of the Data Subjects; and

– QUINTA DO ZAMBUJEIRO’s interest must be determined in the light of its core

business, but always in transparent compliance with any Applicable Data

Protection Legislation.

▪ It is necessary for the vital interest of the Data Subject; or

▪ It is necessary for the fulfilment of a task in the public interest.

 

If none of the above legal grounds apply, QUINTA DO ZAMBUJEIRO will seek and retain the prior consent of the Data Subject before Processing their Personal Data, it being understood that the consent of the Data Subject is valid when

(i) it is freely given by a clear affirmative act; and

(ii) represents a specific, informed and unequivocal indication of the Data Subject’s
consent to the Processing of their Personal Data.

QUINTA DO ZAMBUJEIRO will only grant access to Personal Data when it is necessary for the fulfilment of assigned tasks compatible with the purpose for which the Personal Data is Processed.

Whenever a third party is used to carry out Processing on its behalf, it will ensure that equivalent measures are put in place by that third party through contractual agreements.

In the event of unlawful access and/or unlawful Processing, we will comply with your Information Security Policy and related procedures.

QUINTA DO ZAMBUJEIRO will be responsible for monitoring compliance with Applicable Data Protection Legislation.

When a type of Processing, using new technologies and taking into account the nature, scope, context and purpose of the Processing, is likely to result in a high risk for the protection of your data, we will implement a data protection impact assessment procedure that will allow us to:

▪ identify which processing presents any specific risk to the protection of Personal

Data,

▪ assess the level of compliance with the Processing principles of the Applicable

Data Protection Legislation,

▪ assess the level of severity or likelihood of risk associated with the Processing; and

▪ determine the corrective measures to be implemented to ensure that Personal

Data is Processed with risks that are mitigated and carried out in compliance with

Applicable Data Protection Legislation.

 

If, after mitigation, the risks to Data Subjects remain significant and where required by Applicable Data Protection Legislation, the competent Data Protection Authority will be consulted prior to the commencement of the intended Processing.

The Data Protection Impact Assessment document will be retained for the duration of the Data Processing to which it applies.

QUINTA DO ZAMBUJEIRO when acting as a Data Processor will ensure that it Processes Personal Data exclusively in accordance with the documented instructions of the Data Controller.

Such Processing must be:

▪ Only for the purposes expressed by the Controller,

▪ Carried out under agreed conditions,

▪ For no longer than expressly prescribed by the Data Controller; and

▪ In accordance with the written instructions of the Data Controller, as set out in the
Data Processing agreement between QUINTA DO ZAMBUJEIRO and the Data
Controller.

The Data Controller remains solely responsible for ensuring a valid legal basis for the Processing carried out by QUINTA DO ZAMBUJEIRO and that the required Processing complies with Applicable Data Protection Legislation, including the retention period to be applied.

QUINTA DO ZAMBUJEIRO will immediately inform the Data Controller if, in its opinion, an instruction from the latter infringes Applicable Data Protection Legislation.

Unless otherwise instructed by the Data Controller, QUINTA DO ZAMBUJEIRO will apply (as a minimum) the same security baseline as it does when act as Data Controller.

QUINTA DO ZAMBUJEIRO will provide reasonable assistance to the Controller to support it in the fulfilment of its obligations under Applicable Data Protection Legislation.

At the end of the respective Data Processing agreement, QUINTA DO ZAMBUJEIRO, and any third parties contracted by it will delete or return all Personal Data to the Data Controller, in accordance with its instructions and the Applicable Data Protection Legislation.

In the event of deletion, we will certify to the Data Controller that such deletion has taken place.

In the case of return, we will ensure the confidentiality of the Personal Data transferred to the Data Controller, complying with its instructions.

QUINTA DO ZAMBUJEIRO, when acting as Data Controller, will Process Sensitive Personal Data if and only if it is strictly necessary.

In this case, it must ensure that at least one of the following conditions is met:

▪ The Data Subject has given his/her prior consent,

▪ The Processing is necessary for the purposes of fulfilling the obligations and exercising the specific rights of the Data Controller or the Data Subject in the field of employment and social security and social protection law (including background checks, where applicable),

▪ If the Data Subject is unable to give consent (e.g. for medical reasons), the

Processing is necessary to protect the vital interests of the Data Subject or another

person,

▪ Processing is required in the context of preventive medicine or medical diagnosis

by a health professional under Local Law,

▪ The Data Subject has already manifestly placed the Sensitive Personal Data in
question in the public domain,

Processing is essential for the purpose of establishing, exercising or defending legal claims, if there is no reason to assume that the Data Subject has an overriding legitimate interest in ensuring that such Sensitive Personal Data is not processed.

Whenever QUINTA DO ZAMBUJEIRO, as a Processor, is obliged to Process Sensitive Personal Data, it will follow the written instructions of the Controller and apply the measures agreed between the parties, which will be at least equivalent to its level of security.

The Controller must ensure a valid legal basis for the Processing to be carried out.

In any case, we will process Sensitive Personal Data in accordance with Applicable Data Protection Legislation and fulfil any specific mandatory conditions

To ensure that the principles set out in this Policy are effectively considered, when we Process Personal Data, we will identify and address any data protection restrictions at the start of a new project, so that the principles contained herein are reflected in the design of the project and duly implemented.

Whenever we act as a Subcontractor, the Data Privacy organisation must review and approve the Privacy aspects of the proposal and/or services developed for a client.

When we act as Data Controllers, the Data Privacy organisation will have to give its approval to any new internal project before its development and subsequent implementation begins.

QUINTA DO ZAMBUJEIRO has a standards-based security incident response and management process designed to deal with all phases of a security incident.

Members’ responsibilities are clearly defined at all levels. Incident assessment and prioritisation standards are followed to ensure appropriate levels of involvement and timely resolution. Incident records are kept and resolved.

When QUINTA DO ZAMBUJEIRO becomes aware that a security breach has occurred that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed, it will provide notification of security incidents and status updates to the applicable Data Protection Authority, the Data Subjects and/or the Controller, in accordance with Applicable Data Protection Legislation or any other applicable local laws.

Likewise, and for the sake of clarity, if a breach of Personal Data is identified by a third party contracted by QUINTA DO ZAMBUJEIRO, the third party will have to inform us.

Personal Data may be disclosed to:

▪ Legal entities,

▪ third parties contracted to supply goods or services on our behalf (e.g. suppliers, subcontractors and service providers),

▪ certain regulated professionals (e.g. banks, lawyers, notaries and auditors).

 

Disclosure of Personal Data will only be made if reasonably necessary to protect our rights in investigating fraud or to protect operations or users.

Personal Data may also be disclosed to administrative, judicial or governmental authorities, state agencies or public bodies, strictly in accordance with Applicable Data Protection Legislation and Local Legislation and, after careful review, the lawfulness of any data disclosure order.

Transfers of EU and non-EU Personal Data shall be carried out in accordance with Applicable Data Protection Legislation.

Transfers of Personal Data to third parties shall be carried out in accordance with Applicable Data Protection Legislation, after due diligence and assessment of privacy and security risks.

Whenever we use third parties to Process Personal Data, we will ensure that those third parties provide an adequate level of protection for the Personal Data they Process, in accordance with Applicable Data Protection Legislation.

Data Subjects have various rights under Applicable Data Protection Legislation to request access to their Personal Data.

If you have a request regarding the Processing of your Personal Data, please send your formal request to info@quintadozambujeiro.com.

When acting as a Subcontractor, upon request, QUINTA DO ZAMBUJEIRO will provide its clients with relevant information that enables them to fulfil their own obligations towards Data Subjects.

QUINTA DO ZAMBUJEIRO will act in accordance with Applicable Data Protection Legislation and other applicable legal and contractual obligations when searching for and providing relevant Personal Data.

QUINTA DO ZAMBUJEIRO will require Subcontractors that Process Personal Data to do the same.

QUINTA DO ZAMBUJEIRO may need to ask you further questions in relation to your Personal Data or to verify your identity.

In the event of termination of employment contracts for any reason, we will keep the Personal Data of former employees for as long as permitted under applicable laws and regulations and as necessary for the provision of appropriate ongoing benefits and services.

QUINTA DO ZAMBUJEIRO and its Members, in addition to this Policy, will also comply with other applicable confidentiality and privacy obligations, including those set out in any Applicable Data Protection Legislation, in their employment contracts and in the client’s policies, processes and/or instructions.

QUINTA DO ZAMBUJEIRO maintains a dedicated data privacy page on its website, where policies, standards, guidelines, information and other materials related to the global privacy program are made available to all Members.

QUINTA DO ZAMBUJEIRO has appointed a person responsible for overseeing the global data protection strategy, company-wide data protection policies and procedures, data protection regulatory compliance: Nuno Miguel Martins Malta.

For any questions regarding the interpretation or operation of this Policy, please send an email to info@quintadozambujeiro.com or contact +351 268 801 431.

If your issue is not resolved by contacting QUINTA DO ZAMBUJEIRO’s Data Privacy Organisation or if you believe you have evidence of misconduct that could harm QUINTA DO ZAMBUJEIRO and its Members, clients or partners, you should contact the following email address: info@quintadozambujeiro.com