REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation on Data Protection)

 

 

CHAPTER I

General provisions

Article 1

Object and objectives

1. This Regulation lays down rules on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2. This Regulation shall protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data.

3. The free movement of personal data within the Union shall not be restricted or prohibited on grounds relating to the protection of individuals with regard to the processing of personal data.

 

 

Article 2

Scope of material application

1. This Regulation shall apply to the processing of personal data by means wholly or partly automated and to the non-automated processing of personal data contained in or intended for archives.

2. This Regulation shall not apply to the processing of personal data:

a) Carried out in the exercise of activities not subject to the application of the law of the Union:

(b) carried out by the Member States in the exercise of activities falling within the scope of Title V, Chapter 2, of the TEU;

c) Performed by a natural person in the exercise of exclusively personal or domestic activities;

d) Performed by the competent authorities for the purpose of prevention, investigation, detection and prosecution of infractions

penal sanctions, including the safeguarding and prevention of threats to public security.

3. Regulation (EC) No 45/2001 shall apply to the processing of personal data by the Union's institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other legal acts of the Union applicable to processing shall be adapted to the principles and rules of this Regulation in accordance with Article 98.

4. This Regulation shall be without prejudice to the application of Directive 2000/31 / EC, in particular the rules on liability of intermediary service providers, provided for in Articles 12 to 15 thereof.

 

 

Article 3

Territorial scope

1. This Regulation shall apply to the processing of personal data carried out in the context of the activities of an establishment of a controller or a subcontractor located within the territory of the Union irrespective of whether the processing takes place within or outside the Union.

2. This Regulation shall apply to the processing of personal data of holders resident in Union territory by a controller or subcontractor not established in the Union where the processing activities relate to:

(a) the supply of goods or services to such data holders in the Union, irrespective of the requirement for data holders to make a payment;

(b) control of their conduct, provided that such conduct takes place within the Union.

3. This Regulation shall apply to the processing of personal data by a controller established not in the Union but in a place where the law of a Member State applies under public international law.

 

 

Article 4

Definitions

For the purposes of this Regulation, the following definitions shall apply:

(1) 'personal data' means information relating to an identified or identifiable natural person ('data subject'); an identifiable person is considered to be identifiable, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, identifiers by electronic means or to one or more specific elements of the identifier. physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

What data do we collect | How do we collect them | Purpose of collecting data

The. We have collected two types of user information: data that users provide through voluntary registration on our site, and tracking information derived primarily from pageviews on our site. This information helps us better tailor our content to customer needs and demographically understand our audience. While we track user traffic patterns throughout our site, we do not correlate this information with data about individual users. While we track the search terms that users enter into our search engine, this tracking is never associated with individual users.

B. We ask for this information to understand customer needs and provide better service and in particular for the following reasons:

- We may use the information to improve our services,

- We periodically send promotional emails about new products, special offers or other information that we think the customer may find interesting.

We will not sell, distribute or rent your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties, which we think you may find interesting if you let us know that you want this to happen.

If you believe that any information we have about you is incorrect or incomplete, please write or email us as soon as possible. We will promptly correct any incorrectly found information.

If you have previously agreed to use your personal information for direct marketing purposes, you may change your mind at any time by writing or sending an e-mail to: dpo@Winehouseportugal.com

 

2. 'processing' means an operation or a set of operations carried out on personal data or on personal data sets by automated or non-automated means such as collection, registration, organization, structuring, conservation, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of disclosure, comparison or interconnection, limitation, erasure or destruction;

How we treat data | Where are they stored |

We collect personal data from customers, treating them anonymously and do not communicate personal data with any company outside Wine House Portugal.

We work with SendingBlue for Email Marketing, only customer emails are stored on this platform, all other customer data, names, addresses, contacts and, if applicable, bank details are on our European server.

 

3. 'limitation of processing' means the insertion of a mark in the personal data stored in order to limit its processing in the future;

Saved data period

At any time, the client can register, organize his data, adapt or change his data, request the recovery of his data, consult his data, use and / or copy his data and erase or destroy the data. your data.

Customer data is stored for 3 years since the last interaction with the site, but at any time the customer may request that their account be deleted.

 

(4) 'Profile definition' means any form of automated processing of personal data consisting in the use of such data in order to assess certain personal aspects of a natural person, in particular to analyze or predict aspects relating to his professional performance, health, personal preferences, interests, reliability, behavior, location or travel;

 

(5) 'Pseudonymization' means the processing of personal data in such a way that it can no longer be allocated to a specific data subject without the use of supplementary information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that personal data can not be attributed to an identified or identifiable natural person;

 

(6) 'file' means any structured set of personal data accessible by specific criteria, whether centralized, decentralized or distributed in a functional or geographical manner;

 

(7) 'controller' means a natural or legal person, public authority, agency or other body which, individually or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to his appointment may be laid down by Union or Member State law;

DPO - Data Protection Officer

We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we have implemented adequate physical, electronic and administrative procedures to safeguard and protect the information we collect.

Our company has a Data Protection Officer, which guarantees the security of personal data.

Should you wish to contact this person for any questions regarding the security of personal data, please contact him at dpo@winehouseportugal.com.

 

(8) 'subcontractor' means a natural or legal person, public authority, agency or other body which treats personal data on behalf of the controller;

 

9. 'recipient' means a natural or legal person, public authority, agency or other body receiving communications of personal data, regardless of whether or not it is a third party. However, public authorities which may receive personal data in the context of specific investigations under Union or Member State law shall not be considered as recipients; the processing of such data by such public authorities shall comply with data protection rules applicable to the purposes of the processing;

 

(10) 'third party' means a natural or legal person, a public authority, a service or body other than the data subject, the controller, the subcontractor and persons directly under the direct subcontractor, are authorized to process personal data;

 

(11) 'consent' of the data subject, a free, specific, informed and explicit expression of wishes by which the data subject accepts, by means of a statement or an unequivocal positive act, that the personal data concerning him / her are treated ;

 

(12) 'breach of personal data' means a breach of security resulting in an accidental or unlawful destruction, unauthorized destruction, loss, alteration, disclosure or access to personal data transmitted, stored or other treatment;

 

(13) 'genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information on the physiology or health of that natural person and which results inter alia from an analysis of a biological sample from the person concerned;

 

(14) 'biometric data' means personal data resulting from a specific technical treatment relating to the physical, physiological or behavioral characteristics of a natural person enabling or confirming the unique identification of that natural person, in particular facial or dactyloscopic data;

 

(15) 'health data' means personal data relating to the physical or mental health of a natural person, including the provision of health services, which disclose information about his or her health;

 

(16) 'main establishment'

(a) as regards a person responsible for dealing with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of processing personal data are taken in another establishment of the controller in the Union and that establishment has the power to enforce such decisions, in which case the establishment which has taken those decisions as the principal establishment;

(b) in the case of a subcontractor with establishments in more than one Member State, the place of its central administration in the Union or, where the subcontractor does not have a central administration in the Union, the establishment of the subcontractor in the Union where the main processing activities in the context of the activities of an establishment of the subcontractor to the extent that it is subject to specific obligations under this Regulation;

 

(17) 'representative' means a natural or legal person established in the Union, who, designated in writing by the controller or subcontractor in accordance with Article 27, shall represent the controller or subcontractor in respect of their respective obligations under of this Regulation;

 

(18) 'undertaking' means a natural or legal person who, regardless of its legal form, carries on an economic activity, including companies or associations which regularly carry out an economic activity;

André Carvalho

 

(19) 'business group' means a group consisting of the controlling undertaking and the controlled undertakings;

House of Wines

 

(20) 'binding rules applicable to undertakings' means internal rules for the protection of personal data applied by a controller or a processor established in the territory of a Member State for transfers or sets of transfers of personal data to a controller or subcontractor in one or more third countries, within a group of undertakings or a group of undertakings involved in a joint economic activity;

 

(21) 'supervisory authority' means an independent public authority established by a Member State in accordance with Article 51;

 

(22) 'control authority concerned' means a control authority affected by the processing of personal data on the grounds that:

(a) the controller or subcontractor is established in the territory of the Member State of that control authority;

(b) data owners residing in the Member State of that control authority are substantially affected or likely to be affected by the processing of the data; or

(c) a complaint has been lodged with that supervisory authority;

 

(23) 'cross-border treatment'

(a) the processing of personal data occurring in the context of the activities of establishments in more than one Member State of a controller or a subcontractor in the Union where the controller or the processor is established in more than one Member State -Member; or

(b) the processing of personal data occurring in the context of the activities of a single establishment of a controller or a processor but which substantially affects, or is likely to materially affect, data holders in more than one Member State ;

 

 

(24) 'relevant and reasoned objection' means an objection to a draft decision seeking to establish whether there is a breach of this Regulation or whether the proposed action with regard to the controller or the subcontractor is in conformity with this Regulation, clearly demonstrating the seriousness the risks arising from the draft decision on the fundamental rights and freedoms of data subjects and, where appropriate, the free movement of personal data within the Union;

 

(25) 'information society services' means a service defined in Article 1 (1) (b) of Directive 2015/1535 of the European Parliament and of the Council (1);

 

(26) 'international organization' means an organization and bodies governed by public international law which it administers, or another body set up by an agreement concluded between two or more countries or on the basis of an agreement of that kind.

Use of Cookies

Cookies are small text files stored on your computer. Cookies do not store sensitive information, such as your name, address, or payment details.

The WinehousePortugal website uses cookies to operate the cart, to provide features such as 'My Account' and to remind you when to return to our site.

To make a purchase on the WinehousePortugal website, you must have cookies enabled. If you do not want to enable cookies, you can still browse the site for search purposes.

Most browsers have cookies enabled by default, since without them many sites' functionality is compromised. If you'd like to learn more about cookies in general and how to manage them, visit www.aboutcookies.org.

 

- Third-party cookies

The WinehousePortugal website does not use third-party cookies for advertising networks or partner companies, nor for marketing to visitors and customers outside the site itself.

 

- Pixels

The WinehousePortugal website does not use the pixel for advertising networks or partner companies nor for marketing to visitors and clients outside the site itself.

 

- Google and the Google group of companies:

The WinehousePortugal website uses Google Analytics to track overall site usage.

 

- Content Sharing and Social Networks:

If you take the opportunity to 'share' WinehousePortugal's content with friends via social networks - such as Facebook and Twitter - you can receive cookies from these sites. We do not control the configuration of these cookies, so please check the third-party sites for more information about your cookies and how to manage them.

 

CHAPTER II

Principles

 

Article 5

Principles concerning the processing of personal data

1. The personal data are:

(a) the subject of a fair, fair and transparent treatment of the data subject ('lawfulness, loyalty and transparency');

(b) collected for specified, explicit and legitimate purposes and can not be further processed in a manner incompatible with those purposes; further processing for the purpose of archival purposes in the public interest, or for the purposes of scientific or historical research or for statistical purposes, is not considered incompatible with the original purposes in accordance with Article 89 (1) ('limitation of purpose');

(c) appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimization');

d) Exact and updated whenever necessary; all appropriate measures must be taken to ensure that the data

taking account of the purposes for which they are processed, deleted or rectified without delay ('accuracy'); 4.5.2016 EN Official Journal of the European Union L 119/35 (1) Directive 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and rules on Information Society services (OJ L 241, 17.9.2015, p.1).

(e) preserved in a way that allows the data subjects to be identified only for the period necessary for the purposes for which they are processed; personal data may be retained for longer periods provided that they are processed solely for the purpose of archiving the public interest or for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89 (1), subject to application of the appropriate technical and organizational measures required by this Regulation, in order to safeguard the rights and freedoms of the data subject ('conservation limitation');

(f) treaties in a manner that ensures their safety, including protection against unauthorized or unlawful treatment and their accidental loss, destruction or damage by taking appropriate technical or organizational measures ('integrity and confidentiality');

2. The controller shall be responsible for compliance with paragraph 1 and must be able to prove it ('responsibility').

 

Article 6

Licitude of the treatment

1. Treatment shall be permitted only if and in so far as at least one of the following situations occurs:

(a) the data subject has given his consent to the processing of his personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract in which the data subject is a party, or for pre-contractual arrangements at the request of the data subject;

(c) processing is necessary for the fulfillment of a legal obligation to which the controller is subject;

d) The processing is necessary for the defense of vital interests of the data owner or another natural person;

(e) the processing is necessary for the performance of functions of public interest or for the exercise of the public authority of which the controller is invested;

(f) the processing is necessary for the legitimate interests pursued by the controller or by third parties, except where the interests or fundamental rights and freedoms of the proprietor requiring the protection of personal data prevail, in particular if the proprietor is a child. The first subparagraph, point (f), does not apply to the processing of data by public authorities in the pursuit of their attributions by electronic means.

2. Member States may maintain or adopt more specific provisions with a view to adapting the application of the rules of this Regulation as regards the processing of data for compliance with paragraph 1 (c) and (e). specific requirements for treatment and other measures to ensure the lawfulness and fairness of treatment, including for other specific treatment situations in accordance with Chapter IX.

3. The legal basis for the treatment referred to in points (c) and (e) of paragraph 1 shall be:

(a) by Union law; or

(b) by the law of the Member State to which the controller is subject.

The purpose of the processing is determined on that legal basis or, as regards the treatment referred to in paragraph 1 (e), it must be necessary for the performance of functions in the public interest or for the exercise of the public authority of which the controller is invested . That legal basis may lay down specific provisions for adapting the application of the rules of this Regulation, in particular: the general conditions of lawfulness of treatment by the controller; the types of data being processed; the data subjects concerned; the entities to which the personal data may be communicated and for what purposes; the limits to which the purposes of treatment must comply; conservation terms; and treatment operations and procedures, including measures to ensure the legality and fairness of treatment, such as measures relating to treatment specific ones in accordance with Chapter IX. The law of the Union or of the Member State must meet a public interest objective and be proportionate to the legitimate objective pursued.

4. Where processing for purposes other than those for which the personal data have been collected is not carried out on the basis of the consent of the data subject or in provisions of Union law or of the Member States which constitute a necessary and proportionate measure in a in order to ensure that the treatment for other purposes is compatible with the purpose for which the personal data were originally collected, shall in particular take account of:

(a) any link between the purpose for which the personal data were collected and the purpose of the subsequent processing;

(b) the context in which the personal data have been collected, in particular as regards the relationship between data subjects and the data controller;

(c) the nature of personal data, in particular if special categories of personal data are processed in accordance with Article 9, or if personal data relating to criminal convictions and infringements are processed in accordance with Article 10;

(d) the possible consequences of subsequent processing intended for data subjects;

(e) the existence of adequate safeguards, such as encryption or pseudonymization.