Commitment to Data Protection and Privacy
MADEIRA WINE COMPANY, S.A. complies with all Portuguese and Community legal standards applicable to data protection, privacy and information security.
MADEIRA WINE COMPANY, S.A. is in the process of deploying a Personal Data Protection System and an Information Security System to ensure regulatory compliance and to prove its institutional responsibility with regard to data protection and information security, implementing all technical and organizational measures needed to fulfil the general legal framework of the Data Protection Act currently in force, as well as the special legal arrangements of the General Data Protection Regulation, applicable as of 25 May 2018.
"Personal data" means information on an identified or identifiable natural person ("data subject"); a natural person who can be identified, directly or indirectly, particularly in reference to an identifier, is considered identifiable. Personal identifiers include names, ID numbers, location data, electronic identifiers or one or more specific features of the natural person's physical, physiological, genetic, mental, economic, cultural or social identity.
"Personal data processing" means an operation or collection of operations performed on personal data or sets of personal data, by automated or non-automated means, such as collecting, recording, organizing, structuring, retaining, adapting/modifying, recovering, consulting, using, disclosing via transmission, dissemination or any other means of provision, comparing/interconnecting, limiting, deleting or destroying data.
"Cookies" are small text files with information considered important, uploaded by devices used for access (computers, cell phones and mobile devices), through the internet browser, when a Customer or User visits an online site.
Entity Responsible for Processing
MADEIRA WINE COMPANY, S.A., with its registered office at Avenida Zarco, 2, 9000-069 Funchal, registered in the Funchal Commercial Registry Office under legal entity and registry number 511004206, with share capital of €1,750,00.00, hereinafter called MWC, is the entity responsible for the website www.thewinelodges.com and its computer applications, hereinafter called channels or applications, by which Users, Service Recipients and Customers remotely access the products and services of MWC which are shown, marketed or provided, at any given time, through these channels or applications.
Contact Information of Entity Responsible for Processing
Collection and Processing of Personal Data
MWC shall process the personal data strictly needed for the provision of information and operation of its channels, in accordance with the uses of Users, Service Recipients and Customers, whether the data is provided by Users or Service Recipients for the purposes of recording requests or obtaining information, provided by Customers for the purpose of subscribing to these channels, or resulting from the use of services provided by MWC through them, including access, consultation, instructions, transactions and other records related to their use.
In particular, the use or activation of certain features of the channels may involve the processing of various direct or indirect personal identifiers, including name, residential address, contact information, addresses of devices or geographic location, whenever the User, Service Recipient or Customer has given express consent for this purpose.
In any case, Users, Service Recipients and Customers shall always be notified of any need to access this data in order to use the features of the channels in question.
The personal data collected by MWC shall be processed by computer, in some cases automatically, including the processing of files, definition of profiles and management of the pre-contractual, contractual and post-contractual relationship with Users, Service Recipients or Customers, pursuant to Portuguese and Community standards in force.
All data processing complies with essential legal principles on data protection and privacy, namely with regard to its circulation, legality, trustworthiness, transparency, purpose, minimization, retention, accuracy, integrity and confidentiality; MWC is willing to demonstrate its responsibility to the data subject or any third party with a legitimate interest in this regard.
Grounds of Legitimacy
All data processing done by MWC is based on legitimate grounds, since: i) the data subject has given consent for the processing of personal data for one or more specific purposes; ii) the processing is considered necessary for the performance of a contractual agreement to which the data subject is a party, or for pre-contractual procedures at the data subject's request; iii) the processing is necessary to fulfil a legal obligation applicable to the entity in charge of processing; or iv) the processing is necessary for the legitimate interests of MWC or third parties.
Purpose of Treatment
All personal data processed in MWC's channels is intended exclusively for the provision of information to Users, the management of personal information of Service Recipients considered necessary for managing the relationship or for communication, the provision of services to Customers and, in general, the management of pre-contractual, contractual or post-contractual relationships with Users or Customers.
Even so, personal data collected may be subject to processing for statistical purposes, for information dissemination or promotional initiatives and for commercial or marketing initiatives, namely for promoting new features, products or services through direct communication via post, email, messages or telephone calls, or any other electronic communications services.
With prior notice and express authorization at all times for the latter purposes, Users and Customers may, at any time, exercise their right to oppose the use of personal data for purposes beyond the management of the contractual relationship, namely for marketing purposes, the sending of information or inclusion in lists or information services, by sending a written request to the MWC Data Protection Office, as per the procedures described below.
Data Retention Times
Personal data shall only be retained for the time period needed for the purposes of its collection and subsequent processing, in compliance with all applicable legal standards with regard to archiving.
MWC may use to main categories of cookies: cookies for websites, and cookies for direct electronic communication channels, with the option for Users and Customers to deactivate cookies in both cases.
The cookies used by MWC, in all of its channels, do not collect personal information allowing Users or Customers to be identified, and only save general information such as the means or geographic location of access, how the channels are used, among other things. Cookies only retain information on Users' and Customers' preferences, and do not record personal identifiers.
Users, Service Recipients and Customers may, at any time, through the computer application they use to browse the internet (browser), opt to receive notifications on the receipt of cookies, and to block the entry of cookies into their system.
In relation to the type of intended purposes, MWC may, whenever so justified, use three different types of cookies per the following specifications:
(i) essential cookies - some cookies are essential for accessing specific areas of online channels, allowing browsing and the use of their applications, such as accessing secure website areas, via the user registry - without these cookies, the services requiring them cannot be provided;
(ii) functional cookies - functional cookies remember user website browsing preferences, avoiding the need to reconfigure and customize on each visit;
(iii) analytical cookies - these cookies are used to analyse how users use websites, allowing articles or services of potential user interest to be featured, monitoring website performance, determining which pages are most popular, which connection method between pages is most effective, or why certain pages are receiving error messages - these cookies are only used for creating and analysing statistics, and never collect information of a personal nature.
With these purposes in mind, MWC is able to provide a high-quality experience to Users and Customers by personalizing information and offers, and finding or remedying potential problems which may arise during use.
In terms of validity type, there are two types of cookies:
(i) permanent cookies – these cookies are stored in the devices used to access channels (computers, cell phones, etc.) with regard to the computer application used to browse the internet (browser), and are used whenever Users and Customers revisit a channel - in general, they are used to guide browsing according to the User's or Customer's interests, allowing MWC to provide a more personalized service;
(ii) session cookies - these are temporary cookies which are generated and only available through the closing of the session, since the cookies will no longer be stored the next time the User or Customer accesses the browser - the information obtained allows the sessions to be managed, including troubleshooting to provide a better browsing experience.
Users and Customers may deactivate cookies, partially or in whole, at any time by following the instructions available in each computer application used to browse the internet (browser); however, deactivation may prohibit access to certain website features.
Also in this category of cookies, Users and Customers always have the ability to deactivate electronic communications through a specific option at the bottom of these communications.
Communication of Data to Other Entities
MWC's provision of certain information and services to its Users and Customers through the channels may require the use of services from third-party subcontractors, including entities headquartered outside of the European Union, who may need to access Users' and Customers' personal data.
Under these circumstances, and whenever necessary, MWC shall only employ subcontractors offering sufficient guarantees of having adequate technical and organizational measures to ensure that data processing meets the requirements of applicable standards, as formalized in a contractual agreement signed between MWC and each of these third parties.
Except for the purpose of fulfilling legal obligations, under no circumstances shall the personal data of Users, Service Recipients or Customers be disclosed to third parties other than legitimate recipients and subcontractors; furthermore, no other disclosure shall occur for purposes beyond those referred to above.
International Data Transfers
Any transfer of personal data to a third country or international organization shall only be done in compliance with legal obligations or a guarantee of conformity with Portuguese and Community legal standards applicable in this regard.
Bearing in mind the most advanced techniques, costs of application and the nature, scope, context and purposes of processing, together with risks, their likelihood and varying severity to Users and Customers, MWC and all of its subcontractors shall employ adequate technical and organizational measures to ensure a level of security suited to the risk.
To this end, various security measures are employed to protect personal data against dissemination, loss, improper use, modification, unauthorized processing or access, and against any other means of unlawful processing.
Users, Service Recipients and Customers shall be solely responsible for keeping access codes secret, and for not sharing them with third parties; furthermore, in the specific case of computer applications used to access the channels, Users, Service Recipients and Customers shall keep and maintain access devices in safe conditions, following the recommended security practices of manufacturers and/or operators, namely with regard to installing and updating the necessary security applications, including antivirus applications, among others.
If services must be subcontracted to third parties who may have access to the personal data of Users or Customers, MWC's subcontractors shall be obliged to employ safety protocols and measures at organization level, together with measures of a technical nature needed to safeguard the confidentiality and security of personal data and to prevent unauthorized access, loss or destruction of personal data.
Exercising of Personal Data Subject Rights
MWC's Users and Customers may, as personal data subjects, exercise their data protection and privacy rights at any time, namely the rights of access, correction, deletion, portability, limitation or denial of processing, pursuant to the terms and limits of applicable standards.
Any request to exercise data protection and privacy rights must be addressed in writing, by the respective data subject, to the Data Protection Office, in accordance with the procedures and contact information described below.
Complaints, Feedback and Reporting of Incidents
MWC's Users and Customers have the right to file complaints by recording the complaint in the Complaint Book or by submitting the complaint to the regulatory authorities.
MWC's Users and Customers may also give feedback via email to the Data Protection Office.
Reporting of Incidents
MWC has deployed a system for managing incidents in the areas of data protection, privacy and information security.
Users or Customers wishing to report a personal data breach resulting, whether accidentally or illicitly, in the destruction, loss, modification, unauthorized access to or disclosure of personal data transmitted, retained or subject to any other type of processing, may contact the Data Protection Office or use the general MWC contact information shown above.
Express Consent and Acceptance
The free, specific and informed provision of personal data by the data subject implies knowledge and acceptance of the terms of this Policy, with the understanding that, by using the channels or by providing personal data, Users, Service Recipients and Customers are expressly authorizing the processing of this data, in accordance with the rules laid out for each channel or applicable instruments of collection.
Data Protection Office