Privacy Policy

TREATMENT OF PERSONAL DATA

At VINOS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.A. we care about the personal data that we process and that prevailing legislation on personal data protection is strictly complied with, among others Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC and Organic Law 3/2018, of 5 December, on Personal Data Protection and digital rights guarantee.

As such, we provide information on the following matters relating to the personal data processing that we perform at MARQUÉS DE RISCAL:


Who is responsible for processing your personal data?

Identity: VINOS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.A.
Tax ID:: A01000306          

Address: Calle Torrea 1, 01340 de Elciego (Álava)    

Tel.:: 945 60 60 00             

E-mail: marquesderiscal@marquesderiscal.com


With regard to the bodega tour section and the sub-domain visitas.marquesderiscal.com, responsibility for processing corresponds to:

OwnerSERVICIOS AGRUTURÍSTICOS RISCAL, S.L.
Tax ID:  B01342872          

Address: Calle Torrea 1, 01340 de Elciego (Álava)     

Tel.: 945 60 60 00              

E-mail: marquesderiscal@marquesderiscal.com.


With regard to the Asador Torrea section, responsibility for processing corresponds to:


Owner: ASADOR TORREA, S.L.
Tax ID:  B01570159
Address: Calle Torrea, nº 1
              01340 Elciego (Álava)
Tel.: 945 60 60 00
E-mail: marquesderiscal@marquesderiscal.com.


With regard to the online store, responsibility for processing corresponds to:

Owner: BODEGA DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.L.U.
Tax ID:  B01414531
Address: Calle Torrea, nº 1
              01340 Elciego (Álava)
Tel.: 945 60 60 00
E-mail: marquesderiscal@marquesderiscal.com.


This is without prejudice to the fact that, in certain cases, such companies may be considered co-responsible for the processing, as in the case of processing derived from the contact section.


Therefore, the references made in this legal notice to MARQUÉS DE RISCAL will be understood to be made to the previously mentioned companies.


Contact details for Data Protection Officer
In MARQUÉS DE RISCAL we have appointed a Data Protection Officer who has the following contact data:

Address: Calle Torrea, nº 1

              01340 Elciego (Álava)

E-mail: dpo@marquesderiscal.com.


Principles related to processing

In processing personal data we respect the principles demanded by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Hereinafter the RGPD).

  • Principle of lawfulness, faithfulness and transparency: the data we collect are processed in a lawful, faithful and transparent way, with the prior consent of the interested parties where necessary, or if applicable, for the execution of a contract which the interested person is party to or for the application of pre-contractual measures at the request of the latter, or when, if the processing is necessary for complying with an applicable legal obligation, to protect the vital interests of the interested person or other natural person, or for the satisfaction of the legitimate interests pursued by the person responsible or a third party, providing that the interests or fundamental rights and liberties of the interested party do not prevail over said interests which may require the protection of personal data, in particular when the interested party is a child.
  • Principle of limitation of purposethe personal data which we process are used for the purposes indicated in the section “For what purpose do we use your personal data”.
  • Principle of minimisation of data: in accordance with this principle, the only personal data we collect from users are those strictly necessary for managing the purposes described in the section “For what purpose do we use your personal data
  • Principle of accuracy: the personal data we collect will be kept accurate and updated whenever necessary. For this purpose, if there should be any change in the user’s personal data, they should inform us so that we can make the corresponding amendments.
  • Principle of limitation of the time they are kept: the personal data that we process will be kept for the periods indicated in the section “How long do we keep your personal data?”.
  • Principle of integrity and confidentiality: to respect this principle, the personal data will be processed in such a way that appropriate security is guaranteed, including protection against unauthorised or unlawful processing, and against their loss, destruction or accidental damage, applying the appropriate technical and organisation measures for this purpose.


For what purpose do we use your personal data (whether or not users of the web page)?

  • Customer data: for the correct maintenance, execution, compliance and control of the contractual relationship with customers and of the services they request.Moreover, we will use the identification and contact details for conducting customer satisfaction surveys and to send, by electronic means or otherwise, technical, operational and/or sales information about news and marketing information about our company’s offers, activities, products and services.
  • Supplier data: for the correct maintenance, execution, compliance and control of the contractual relationship with our suppliers and of the services they provide.
  • Staff data: for the maintenance, execution, compliance and control of the contractual relationship with our employees, as well as compliance with the current labour, Social Security and Occupational Risk Prevention legislation and regulations that may be applicable.
  • Applicants’ data: to manage the participation of the interested parties in the company’s staff recruitment selection processes.
  • Data collected through contact section: to manage and respond to enquiries, complaints, suggestions and requests made by users through the web page.
  • Data collected through the Asador Torrea table booking form: to manage bookings in our Asador Torrea restaurant.
  • Data collected through the bodega tour booking form: to manage bodega tour bookings and to send marketing information about our company’s offers, activities, products and services.

In any case, regarding the sending of commercial information about Marqués de Riscal to clients and winery visitors who make their reservation through our website, we inform you that in order to manage in a more efficient, dynamic and operative way and to be able to have a better control of such sending that we make by e-mail we use MailChimp, a platform developed by The Rocket Science Group Llc, whose use implies the installation by the provider of this service of tracking devices for the activity of the recipients, in order to control the opening of the emails and the clicking of the links contained in the emails, and to be able to prepare with the information collected reports on the monitoring of the campaigns.


What is the legal basis for processing your personal data?

  • Customer data: the legal basis for processing the personal data of customers is the execution of the contract or dealing with orders they place. With regards to customer satisfaction surveys and the sending of marketing material, the legal basis is the satisfaction of the legitimate interests of MARQUÉS DE RISCAL pursuant to article 6.1. f) of the RGPD, based on the provisions of Report 195/2017 of the AEPD. This will be notwithstanding the possibility of the customer to oppose the sending of this marketing information.
  • Supplier data: the legal basis for processing the personal data of suppliers is the execution of the contract or commercial relationship which exists with the company.
  • Staff data: the legal basis for processing the personal data of staff is the execution of the employment contract between the company and its employees.
  • Applicants’ data: the legal basis for processing the personal data of the interested party is the consent they give by giving us their curriculum vitae in order to participate in the staff selection processes we may have.
  • Data collected through the contact section: the legal basis for processing your personal data is the consent given by contacting us and, consequently, the need for this processing in order to deal with and respond to the request for contact that you make.
  • Data collected through the Asador Torrea table booking form: the legal basis for the processing of personal data is the execution of a contract to which the interested person is a party.
  • Data collected through the bodega tour booking form: the legal basis for the processing of personal data is the execution of a contract to which the interested person is a party. For sending sales information, the legal basis is the satisfaction of the processor’s legitimate interests.

For sending sales information, the legal basis isthe satisfaction of the processor’s legitimate interests pursued by MARQUÉS DERISCAL as provided for in Article 6.1. f) of the RGPD, based on the provisionsof Report 195/2017 of the AEPD. This shall be without prejudice to thepossibility they have of opposing the sending of such commercial information.


How have we obtained your personal data?

All the personal data that we process are provided to us by the interested parties themselves or by their legal representatives.

 The personal data we collect via the web site have been gathered through the various forms provided or through the email addresses established for contacting us.


Who will your personal data be shared with?

The personal data of customers, suppliers and employees will be shared, if applicable, with the tax authorities for compliance with legal and tax obligations, as well as with the banking establishment/s through which VINOS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.A. collect payments (in the case of customers) and make payments (in the case of suppliers and employees).

The personal data of customers, suppliers, employees and applicants may be shared with other MARQUÉS DE RISCAL companies (indicated in the initial section of this privacy policy) for internal administrative purposes.

In the same way, for some issues we use services of third parties, who act as data processors, with whom we have signed the corresponding data processing contract in accordance with Article 28.3 of the RGPD.


Transfers of personal data to third countries
In order to manage in a more efficient, dynamic and operational way and to be able to have a better control of the commercial communications that we send by e-mail we use MailChimp, a platform developed by The Rocket Science Group Llc, a company that acts also as a processor and that, despite being outside the European Union and the European Economic Space, the international transfer of data that implies its use also has the appropriate guarantees contemplated in the article 46.2 c) of the General Regulation of Data Protection (standard contractual clauses adopted by the European Commission).

MailChimp's privacy policy: https://mailchimp.com/legal/privacy/

Addendum to MailChimp standard contract clauses: https://mailchimp.com/legal/data-processing-addendum/#Annex_C_-_Standard_Contractual_Clauses

We inform you that the use of this platform implies the installation by the provider of the mentioned service in the mentioned mailings of tracking devices of the activity of the recipients, in order to control the opening of the mails and the click of the links contained in the mails, and to be able to elaborate with the information obtained reports of tracking of the campaigns.


How long will we keep your personal data?

  • Client and supplier data: their personal data will be stored for the duration of the corresponding contractual relationship and, once this has terminated, for the period of the limitation of liabilities established by the applicable legal provisions.

Regarding the sending of commercial information to customers, we will keep their identification and contact information until they express their refusal to continue receiving it.

  • Staff data: employees' personal data will be stored for the duration of the employment contract and, once this has terminated, for the period of the limitation of liabilities established by the applicable legal provisions.
  • Candidate data: the personal data of candidates will be stored for a maximum period of two years.
  • Data collected through the contact section: the personal data provided by users who contact us will only be stored while their request is being dealt with so that, once their request has been processed, their details will be deleted.
  • Data collected through the Asador Torrea table booking form: the personal data will be kept only during the management of the reservation request in such a way that, once it has been completed, it will be deleted.
  • Data collected through the bodega tour booking form: the personal data will be kept until the bodega visit has taken place and, subsequently, during the time necessary to meet legal obligations. In the case of sending marketing material, personal data will be stored for as long as the interested parties do not withdraw their consent.
  • Data from users of our social media profiles: the periods of storage for personal data from our followers on social media depend on the policies of each social network, although we will only process it while they follow us.


What rights do you have when you provide us with your personal data?

  • Right to request access to your personal data: to learn and verify the legality of the processing, you may request confirmation as to whether MARQUÉS DE RISCAL are processing your personal data at any time and if this is the case, we will inform you, among other matters, of the data we are processing, its purpose, source, expected data storage period and where appropriate, recipients or categories of recipients.
  • Right to request amendment of data: you can request the amendment of any personal data that is inaccurate or ask us to complete any incomplete data through an additional declaration. In such a case you must indicate in your request which data you are referring to and the correction that should be made, attaching, where appropriate, supporting documentation of the inaccuracy or incomplete nature of the data being processed.
  • Right to request data deletion (“right to be forgotten”): you can request that your personal data be deleted and no longer processed if it is no longer necessary for the purposes for which it was collected or if processed in another way, withdraw consent, or it has been processed illegally or must be deleted to comply with a legal obligation.
  • Right to request limitation of personal data processing: in this case MARQUÉS DE RISCAL will only hold your personal data for the formulation, exercise or defence of claims, or with a view to protecting the rights of another legal entity or individual or for overriding public interest.
  • Right to the portability of your personal data: you can request that we hand over your personal data, to you or another person as indicated by you, in a structured, usable and readable format.
  • Right to oppose the processing of your data: MARQUÉS DE RISCAL will stop processing your personal data as you indicate, unless we have to continue processing it for compelling legitimate grounds or for the formulation, exercise or defence of potential claims.

How to exercise your data protection rights: to exercise your rights please send a written request to MARQUÉS DE RISCAL, indicating the company before which you exercise your right, Calle Torrea, 1, 01340, Elciego, Álava, Spain or send an email to dpo@marquesderiscal.com, attaching in any case a photocopy of your national identity document.

MARQUÉS DE RISCAL will respond to the requests within the periods and under the conditions required by prevailing personal data protection legislation.

How to lodge a complaint with the Spanish Data Protection Agency: if you consider that we have not properly processed your personal data or that we have not duly assisted you in exercising your data protection rights, you can lodge a complaint with the Spanish Data Protection Agency, either via its website or its address, at 6, Calle Jorge Juan, 28001, Madrid. Further information on data protection rights and complaints to the supervisory authorities is available on www.agpd.es.


Security

In accordance with that provided in article 32 of the GDPR, MARQUÉS DE RISCAL have adopted the appropriate technical and organisational measures to ensure a level of security that is appropriate to the risk presented. 

Data processing risks have been taken into account in order to assess the appropriate security level, in particular as a result of the destruction, loss or accidental or illegal alteration of the personal data transferred, stored or processed in a different way, or the communication or unauthorised access to such data. 


Obligation to secrecy

MARQUÉS DE RISCAL have adopted measures to ensure that any person acting under their respective authority with access to personal data provided by users, can only process them by following the company's instructions, as well as maintaining their professional confidentiality, which will be of an indefinite duration. 

To this effect, our employees have signed a confidentiality and obligation to secrecy document regarding the information and personal data that they process in the course of their existing employment relationship with the company.


Website use by minors

We ask our users to read the policies on the use of the website by minors that we have published on the "Legal advice" section of our website.


Social media

  • Social media profiles: MARQUÉS DE RISCAL has profiles on some of the main social networks that currently exist, and it may process the personal data of our followers, people that appear in the posts that we publish (for example photographs) and people who send us private messages. 
  • Data processing and purpose: the data processing that MARQUÉS DE RISCAL will perform will be limited and conditioned by the policies and functions of each social network.  

When a user becomes one of our followers on a social network they consent to us using their personal data solely in the environment of the corresponding social network to manage our page or profile and to the two-way communication that we may have with our followers via chat, messages or other means of communication provided by the social network both at the present time and in the future. This means that we will have access to their profile information that appears in the comment, for example and without limitation, to their username, image (in the event that the user has a profile picture), and any comments made. 

We would also like to inform you that when a user becomes one of our followers, the news that we publish will also appear on their wall and, should they make comments on ours, both their comment and their profile name and, where appropriate, their profile picture, will be visible to other followers. In any case, users are responsible for their own use of social media. We will not use users' personal data for any purposes other than those indicated in the previous paragraphs or to send them information in any other way other than through the social network in question. Unless the interested party gives their consent or asks us to fulfil a request, we will not extract personal data from the social media environment.

  • Data protection rights: with regard to the rights of access, amendment, deletion, processing limitation, opposition and portability of their personal data we can act in accordance with the possibilities allowed by each social network. MARQUÉS DE RISCAL will provide all the assistance it can so that the interested party can exercise their aforementioned rights. Any of our followers can cease to follow our page or profile at any time and we would no longer have any access to their personal data, although the social media in question will save the comments that have previously been posted on our wall.  In any case, users are responsible for their own use of social media, and therefore, MARQUÉS DE RISCAL does not accept any liability for this.


 Cookies

Cookies are small text files which are stored on the hard-drive or memory of the computer used to access or visit the pages of certain websites, storing user preferences for when they next connect. The cookies stored on the hard-drive cannot read the data stored on the hard-drive, access personal information or read cookies created by other providers. For further information on the cookies used on this website, read the "Cookies policy" section.


Date of Text: 2 November 2020