Terms and conditions - Loja da Quinta

PERSONAL DATA PROTECTION AND PRIVACY POLICY

QUINTA DAS ARCAS is deeply committed to protecting your personal Data and Privacy as established in the Data Protection Code of Conduct.

QUINTA DAS ARCAS processes the personal data of their employees, clients, partners, service providers, and suppliers throughout their daily activities (managing employees, prospecting and managing customer solutions, etc.).

Individuals are becoming more aware of the data they are sharing and they expect it to be suitably processed and for their personal data to be protected.

Public entities are becoming more aware of these subjects. Companies processing personal data are facing higher obligations and may be prosecuted by means of civil, criminal, and financial sanctions. Thus, QUINTA DAS ARCAS and its Entities must comply with European Regulation No. 2016/679 from 2016.4.27 on personal data protection.

Subsequently, QUINTA DAS ARCAS is becoming more exposed to risks associated with the inappropriate collection, use, change, compromise, and even forgery of internal and external personal data.

Based on our ethical values regarding personal data and privacy, and being aware of the importance of privacy and data protection rules, as well as the associated risks in the case of a breach, QUINTA DAS ARCAS undertakes to protect such data and privacy, and subsequently implement the policy established in this document.

2. SCOPE AND GOALS

The Policy is in line with the Data Protection Conduct Code.

This Policy’s principles are based on the international conventions. In the case of a conflict between this Policy and the applicable international conventions, or the national regulations that apply to QUINTA DAS ARCAS, the latter shall prevail over these principles.

The QUINTA DAS ARCAS Data Privacy Policy applies to all its employees and Clients.

This policy shall be further developed and reinforced with a gradual increase in documents (methodologies, procedures, good practices, awareness, etc.) in order to reach the established goals.

The requirements to be followed must be fulfilled before the effective implementation of intended data processing, for which reason they must be taken into account when planning a project involving the processing of personal data. Once implemented, data processing must always respect the principles within this Policy. Similar requirements may also apply in the case of any changes to the data processing conditions. 

Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Article 4).

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR, Article 4).

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (GDPR, Article 4).

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (GDPR, Article 4).

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (GDPR, Article 4).

Personal data protection goals and means herein must be implemented by QUINTA DAS ARCAS.

QUINTA DAS ARCAS shall ensure compliance with the data Privacy Policy and Data Protection laws before implementing data processing and throughout its entire execution and operations.

QUINTA DAS ARCAS may designate a Data Protection Officer as to ensure compliance with the national legislation.

The Data Protection Officer shall be granted the necessary time and resources to fulfil their mission. Since they are responsible for the application of this Policy and ensuring compliance with the European Regulations.

Shall be subjected to professional secrecy requirements and have direct access to data (meaning that they shall not be denied access to data);

Shall be autonomous and report to QUINTA DAS ARCAS’ highest level;

Undertakes to inform the Data Protection Authority of any incidents (data breach) within 72 hours, and also inform the affected data subjects if needed;

Undertakes to carry out or organise auditing and inspections.

All employees implementing an application that processes personal data shall inform the Data Protection Officer or Person responsible for data protection beforehand, since the processing of data may require a previous notification to a Data Protection Authority or consent from the data subject.

Any third party – including data controllers – providing services on behalf of QUINTA DAS ARCAS must be aware of this Policy’s principles regarding the personal data they access and process.

QUINTA DAS ARCAS has implemented suitable logical, physical, organisational, and safety measures, which are necessary and sufficient for protecting data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, or any other form of accidental or unlawful processing.

The following data protection principles apply to all QUINTA DAS ARCAS Entities unless otherwise or more strictly established in the national legislation.

Explicit, lawful, loyal, and transparent purposes: Personal data must be processed for specific, explicit, and legal purposes. Information sent to the data subject must be concise, easily accessed, and understandable.

Relevance, minimisation, and proportionality: Collection of personal data must be suitable, pertinent, exact, and up-to-date, if necessary, and relevant and limited to that strictly necessary. 

Storage limitation: The period for preserving processed personal data shall be defined according to the collection purpose and legislation in force.

Data subjects must be informed of the data preservation period or, if the latter is not possible, the criteria used to determine it. After the deadline for preserving personal data has expired, it must be erased or anonymised.

Sensitive Data: Sensitive data may only be processed with the explicit consent of the data subject or under circumstances which have been expressly authorised by the legislation in force. Sensitive data also include union membership and genetic or biometric data for an individual’s single identification.

Integrity and confidentiality: All appropriate protection measures must be taken as to ensure the integrity and confidentiality of personal data.

Measures such as pseudonymisation, anonymisation, and encryption must be taken in order to ensure the integrity and confidentiality of processed data.

International Transfer: When transferring personal data to entities outside the EU, you must ensure that the countries receiving the data offer at the very least the protection level within this Policy and the specific requirements of the EU regulations.

Openness and respect for individual rights: Transparent policies must be implemented regarding the rights of the data subject, such as: the right to transparency, information, notifications, access, rectification, erasure, limited processing, portability, objection, and non-subjection to automated decisions.

Obligations of the Data Controller: Any Entity engaging a data processor to process data shall remain responsible for the protection of that personal data. Entities must ensure that data are processed according to the protection principles in the QUINTA DAS ARCAS Data Privacy Policy and EU regulations. A contract or agreement must be established in order to foresee that the obligations of the controller are in compliance with the personal data protection rules, including confidentiality and integrity measures.

Quinta das Arcas here is the LOJA DA QUINTA undertakes to protect the personal data entrusted to them.

For this reason, all personal information shall be processed and protected with due diligence and always in accordance with the applicable law: EU Regulation 2016/679, General Data Protection Regulation (GDPR).

At Quinta das Arcas, we are aware that the use of your personal data requires responsible processing based on trust. We respect your privacy and we will process your data in strict compliance with the legislation in force. 

Access is restricted in order to protect your personal data; we do not transfer data; we only store data on the website’s back office and GDPR module of the ERP software with restricted access; we protect our technological systems by means of a firewall; we record every data access in order to detect unlawful data usage.

Data Processing and Privacy Policy

This Data Processing and Privacy Policy governs the collection and processing of personal data provided by clients and used by Quinta das Arcas and all marketed brands, as well as the online store, along with the exercise of your rights regarding such data pursuant to the Personal Data Protection Law in force.

Data Processing Scope

This Data Processing and Privacy Policy applies to personal data collection and processing within the scope and for the purpose of business and marketing operations, sending text messages, e-mails, newsletters with information, and event registrations.

Quinta das Arcas reserves the right to, at any given moment, change this Data Processing and Privacy Policy, which shall be properly publicised on the company's website.

Data Processing Goal

Personal data collected by Quinta das Arcas concern personal information such as a name, e-mail address, post address, mobile and/or landline phone number, and taxpayer identification number in the case of the company having to issue an invoice.

Data Processing Purpose

Personal data collected within the scope and for the purpose of sending e-mails and newsletters, event registrations, and marketing campaigns are solely intended for processing client/user requests and shall not be used for any other purpose than that for which the data were collected pursuant to this Privacy Policy.

 

Third Party Disclosure

Quinta das Arcas does not disclose personal data from their clients and users to third parties without their consent unless such is required by law.

Deadlines for storing data 

We shall store your data for as long as strictly necessary. 

Rights of the data subject

In compliance with the Personal Data Protection Law in force, clients/users may, at any given moment, exercise their right to access, rectify, limit, object, or erase their personal data, as well as their right to data portability, by means of a written request to Quinta das Arcas, at the address of Quinta das Arcas 4440-392 Sobrado Valongo, or to e-mail address rgpd@quintadasarcas.com

Quinta das Arcas undertakes to answer your request within 30 days.

For more information on the use given to your personal data, please send us an e-mail to rgpd@quintadasarcas.com