Privacy Policy

TREATMENT OF PERSONAL DATA

At VINOS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.A. we care about the personal data that we process and that prevailing legislation on personal data protection is strictly complied with, among others Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. As such, we provide information on the following matters relating to the personal data processing that we perform at VINOS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.A.:
Who is responsible for processing your personal data?

Identity: VINOS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.A.
Tax ID:: A01000306          

Address: Calle Torrea 1, 01340 de Elciego (Álava)    

Tel.:: 945 60 60 00             

E-mail: marquesderiscal@marquesderiscal.com
With regard to the bodega tour section and the sub-domain visitas.marquesderiscal.com, responsibility for processing corresponds to:

Owner: SERVICIOS AGRUTURÍSTICOS RISCAL, S.L.
Tax ID:  B01342872          

Address: Calle Torrea 1, 01340 de Elciego (Álava)     

Tel.: 945 60 60 00              

E-mail: marquesderiscal@marquesderiscal.com.
Contact details for Data Protection Officer

Anyone interested can contact our Data Protection Officer for any matter related to their personal data either by writing to the postal address given above or by sending an email to the following address: dpo@marquesderiscal.com.

Principles related to processing

In processing personal data we respect the principles demanded by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Hereinafter the RGPD).

Principle of lawfulness, faithfulness and transparency: the data we collect are processed in a lawful, faithful and transparent way, with the prior consent of the interested parties where necessary, or if applicable, for the execution of a contract which the interested person is party to or for the application of pre-contractual measures at the request of the latter, or when, if the processing is necessary for complying with an applicable legal obligation, to protect the vital interests of the interested person or other natural person, or for the satisfaction of the legitimate interests pursued by the person responsible or a third party, providing that the interests or fundamental rights and liberties of the interested party do not prevail over said interests which may require the protection of personal data, in particular when the interested party is a child.

Principle of limitation of purpose: the personal data which we process are used for the purposes indicated in the section “For what purpose do we use your personal data”.

Principle of minimisation of data: in accordance with this principle, the only personal data we collect from users are those strictly necessary for managing the purposes described in the section “For what purpose do we use your personal data

Principle of accuracy: the personal data we collect will be kept accurate and updated whenever necessary. For this purpose, if there should be any change in the user’s personal data, they should inform us so that we can make the corresponding amendments.

Principle of limitation of the time they are kept: the personal data that we process will be kept for the periods indicated in the section “How long do we keep your personal data?”.

Principle of integrity and confidentiality: to respect this principle, the personal data will be processed in such a way that appropriate security is guaranteed, including protection against unauthorised or unlawful processing, and against their loss, destruction or accidental damage, applying the appropriate technical and organisation measures for this purpose.
For what purpose do we use your personal data (whether or not users of the web page)?

Customer data: for the correct maintenance, execution, compliance and control of the contractual relationship with customers and of the services they request.Moreover, we will use the identification and contact details for conducting customer satisfaction surveys and to send, by electronic means or otherwise, technical, operational and/or sales information about news and marketing information about our company’s offers, activities, products and services.

Supplier data: for the correct maintenance, execution, compliance and control of the contractual relationship with our suppliers and of the services they provide.

Staff data: for the maintenance, execution, compliance and control of the contractual relationship with our employees, as well as compliance with the current labour, Social Security and Occupational Risk Prevention legislation and regulations that may be applicable.

Applicants’ data: to manage the participation of the interested parties in the company’s staff recruitment selection processes.

Data collected through contact section: to manage and respond to enquiries, complaints, suggestions and requests made by users through the web page.

Data collected through the blog: to manage and respond to comments posted by users of the blog.

Data collected via the form for ideas and opinions about marquesderiscal.com: to manage and respond to comments and opinions posted by users.

Data collected through the bodega tour booking form: to manage bodega tour bookings and to send marketing information about our company’s offers, activities, products and services.

Processing data excluded by the RGPD

In Recital 14 of the RGPD it establishes that the “protection provided by this Regulation must be applied to natural persons, irrespective of their nationality or place of residence, in respect of the processing of their personal data. These Regulations do not regulate the processing of personal data related to legal persons and in particular to companies constituted as corporate bodies, including the name and the form of the legal person and their contact data”.  This means that these rules and the liabilities and rights it contains will not be applicable to some of the data processing that is conducted by VINOS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.A., such as those related to customers who are legal persons or suppliers.

What is the legal basis for processing your personal data?

Customer data: the legal basis for processing the personal data of customers is the execution of the contract or dealing with orders they place. With regards to customer satisfaction surveys and the sending of marketing material, the legal basis is the satisfaction of the legitimate interests of VINOS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.A.  pursuant to article 6.1. f) of the RGPD, based on the provisions of Report 195/2017 of the AEPD. This will be notwithstanding the possibility of the customer to oppose the sending of this marketing information.  

Supplier data: the legal basis for processing the personal data of suppliers is the execution of the contract or commercial relationship which exists with the company

Staff data: the legal basis for processing the personal data of staff is the execution of the employment contract between the company and its employees

Applicants’ data: the legal basis for processing the personal data of the interested party is the consent they give by giving us their curriculum vitae in order to participate in the staff selection processes we may have.

Data collected through the contact form: the legal basis for processing your personal data is the consent given by contacting us and, consequently, the need for this processing in order to deal with and respond to the request for contact that you make.

Data collected through the blog; the legal basis for the processing of personal data is the consent given by posting comments on the blog.

Data collected via the form for ideas and opinions about marquesderiscal.com:: the legal basis for the processing of personal data is the consent given by filling in the form provided for this purpose.

Data collected through the bodega tour booking form the legal basis for the processing of personal data is the execution of a contract to which the interested person is a party. For sending sales information, the legal basis is the satisfaction of the processor’s legitimate interests.

How have we obtained your personal data?

All the personal data which we process at VINOS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.A. and SERVICIOS AGROTURÍSTICOS RISCAL, S.L. are provided by the interested parties themselves or their legal representatives. The personal data we collect via the web site have been gathered through the various forms provided or through the email addresses established for contacting us.

Who will your personal data be shared with?

The personal data of customers, suppliers and employees will be shared, if applicable, with the tax authorities for compliance with legal and tax obligations, as well as with the banking establishment/s through which VINOS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.A. collect payments (in the case of customers) and make payments (in the case of suppliers and employees).

The personal data of customers, suppliers, employees and applicants may be shared with other companies in the Marqués de Riscal Group (made up of Vinos de los Herederos del Marqués de Riscal, S.A., Bodegas de los Herederos del Marqués de Riscal, S.A., Servicios Agroturísticos Riscal, S.L. and Hotel Marqués de Riscal, S.L.) for internal administrative purposes. In the same way, in response to legal bases based on the legitimate interests pursued by the processor and/or Marqués de Riscal companies, customer data may be shared with any of them for the purposes of sending sales information about similar products or services to those which the customer has contracted.

Furthermore, in order to manage in a more efficient, dynamic and operative way and to be able to have better control over information communicated by email, we use MailChimp, a platform devised by The Rocket Science Group Llc, a body accredited by the Privacy Shield EU-USA. Information about this can be found at https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active. Privacy Policy of The Rocket Science Group Llc: https://mailchimp.com/legal/privacy/

How long will we keep your personal data?

Client and supplier data: their personal data will be stored for the duration of the corresponding contractual relationship and, once this has terminated, for the period of the limitation of liabilities established by the applicable legal provisions.

Staff data: employees' personal data will be stored for the duration of the employment contract and, once this has terminated, for the period of the limitation of liabilities established by the applicable legal provisions.

Candidate data: the personal data of candidates will be stored for a maximum period of two years.

Data collected through the contact form: the personal data provided by users who contact us will only be stored while their request is being dealt with so that, once their request has been processed, their details will be deleted.

Data collected through the blog: the personal data provided will be stored until such time  as the interested parties withdraw their consent.

Data collected via the form for ideas and opinions about marquesderiscal.com:: the personal data provided will be stored until such time  as the interested parties withdraw their consent .

Data collected through the bodega tour booking form: the personal data will be kept until the bodega visit has taken place and, subsequently, during the time necessary to meet legal obligations. In the case of sending marketing material, personal data will be stored for as long as the interested parties do not withdraw their consent.

Data from users of our social media profiles: the periods of storage for personal data from our followers on social media depend on the policies of each social network, although we will only process it while they follow us.


What rights do you have when you provide us with your personal data?

  • Right to request access to your personal data: to learn and verify the legality of the processing, you may request confirmation as to whether BODEGAS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.L. are processing your personal data at any time and if this is the case, we will inform you, among other matters, of the data we are processing, its purpose, source, expected data storage period and where appropriate, recipients or categories of recipients.
  • Right to request amendment of data: you can request the amendment of any personal data that is inaccurate or ask us to complete any incomplete data through an additional declaration. In such a case you must indicate in your request which data you are referring to and the correction that should be made, attaching, where appropriate, supporting documentation of the inaccuracy or incomplete nature of the data being processed.
  • Right to request data deletion (“right to be forgotten”): you can request that your personal data be deleted and no longer processed if it is no longer necessary for the purposes for which it was collected or if processed in another way, withdraw consent, or it has been processed illegally or must be deleted to comply with a legal obligation.
  • Right to request limitation of personal data processing: in this case BODEGAS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.L. will only hold your personal data for the formulation, exercise or defence of claims, or with a view to protecting the rights of another legal entity or individual or for overriding public interest.
  • Right to the portability of your personal data: you can request that we hand over your personal data, to you or another person as indicated by you, in a structured, usable and readable format.
  • Right to oppose the processing of your data: BODEGAS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.L.  will stop processing your personal data as you indicate, unless we have to continue processing it for compelling legitimate grounds or for the formulation, exercise or defence of potential claims.

How to exercise your data protection rights: to exercise your rights please send a written request to BODEGAS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.L. Calle Torrea, 1, 01340, Elciego, Álava, Spain or send an email to dpo@marquesderiscal.com, attaching in any case a photocopy of your national identity document.

BODEGAS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.L.  will respond to the requests within the periods and under the conditions required by prevailing personal data protection legislation.

How to lodge a complaint with the Spanish Data Protection Agency: if you consider that we have not properly processed your personal data or that we have not duly assisted you in exercising your data protection rights, you can lodge a complaint with the Spanish Data Protection Agency, either via its website or its address, at 6, Calle Jorge Juan, 28001, Madrid. Further information on data protection rights and complaints to the supervisory authorities is available on www.agpd.es. 

Security

In accordance with that provided in article 32 of the GDPR, BODEGAS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.L. have adopted the appropriate technical and organisational measures to ensure a level of security that is appropriate to the risk presented. Data processing risks have been taken into account in order to assess the appropriate security level, in particular as a result of the destruction, loss or accidental or illegal alteration of the personal data transferred, stored or processed in a different way, or the communication or unauthorised access to such data. 

Obligation to secrecy

BODEGAS DE LOS HEREDEROS DEL MARQUÉS DE RISCAL, S.L. have adopted measures to ensure that any person acting under their respective authority with access to personal data provided by users, can only process them by following the company's instructions, as well as maintaining their professional confidentiality, which will be of an indefinite duration. To this effect, our employees have signed a confidentiality and obligation to secrecy document regarding the information and personal data that they process in the course of their existing employment relationship with the company.

Website use by minors

We ask our users to read the policies on the use of the website by minors that we have published on the "Legal advice" section of our website.

Social media

Social media profiles: MARQUÉS DE RISCAL has profiles on some of the main social networks that currently exist, and it may process the personal data of our followers, people that appear in the posts that we publish (for example photographs) and people who send us private messages. 

Data processing and purpose: the data processing that MARQUÉS DE RISCAL will perform will be limited and conditioned by the policies and functions of each social network.  

When a user becomes one of our followers on a social network they consent to us using their personal data solely in the environment of the corresponding social network to manage our page or profile and to the two-way communication that we may have with our followers via chat, messages or other means of communication provided by the social network both at the present time and in the future. This means that we will have access to their profile information that appears in the comment, for example and without limitation, to their username, image (in the event that the user has a profile picture), and any comments made. 

We would also like to inform you that when a user becomes one of our followers, the news that we publish will also appear on their wall and, should they make comments on ours, both their comment and their profile name and, where appropriate, their profile picture, will be visible to other followers. In any case, users are responsible for their own use of social media. We will not use users' personal data for any purposes other than those indicated in the previous paragraphs or to send them information in any other way other than through the social network in question. Unless the interested party gives their consent or asks us to fulfil a request, we will not extract personal data from the social media environment.

Data protection rights: with regard to the rights of access, amendment, deletion, processing limitation, opposition and portability of their personal data we can act in accordance with the possibilities allowed by each social network. MARQUÉS DE RISCAL will provide all the assistance it can so that the interested party can exercise their aforementioned rights. Any of our followers can cease to follow our page or profile at any time and we would no longer have any access to their personal data, although the social media in question will save the comments that have previously been posted on our wall.  In any case, users are responsible for their own use of social media, and therefore, MARQUÉS DE RISCAL does not accept any liability for this.

 Cookies

Cookies are small text files which are stored on the hard-drive or memory of the computer used to access or visit the pages of certain websites, storing user preferences for when they next connect. The cookies stored on the hard-drive cannot read the data stored on the hard-drive, access personal information or read cookies created by other providers. For further information on the cookies used on this website, read the "Cookies policy" section.

Date of Text: 24 May 2018