Bolney Wine Estate Limited — Privacy Notice

Contents

1. Why do we have this privacy notice?
2. The controller of your personal information
3. Your duty to inform us of changes
4. If you have queries or concerns, just ask!
5. Changes to this notice
6. Data protection principles
7. What personal information do we collect?
8. We aim not to collect personal information about children
9. Where do we collect your personal information from?
10. What are our bases for processing your personal information?
11. How will we use your personal information?
12. Automated decision-making
13. Who has internal access to your personal information?
14. Who do we share your personal information with externally?
15. International transfers
16. How do we protect your personal information?
17. For how long do we keep your personal information?
18. Your rights
19. Complaints
20. Contacting us

1. Why do we have this privacy notice?

We are Bolney and treating individuals and their personal information with respect reflects our core values as a business.  We want you to know as much as possible about what we do with your personal information.  You and your personal information are protected by various laws and guidance and Bolney is committed to upholding these and respecting your privacy and keeping your information safe.  So, whilst this privacy notice is quite long, we want you to be fully informed.

In this privacy notice any reference to “us”, “we”, “our” or “ourselves” is a reference to Bolney (being Bolney Wine Estate Limited and its parent company Freixenet Copestick Limited), and any reference to “you”, “your” or “yourself” is a reference to you as someone who has a relationship with us in some way, who has contacted us or interacted with us in some way, or your personal information is relevant to the work we do as a business.  This privacy notice will not apply in relation to you to the extent you are a current or past staff member or worker for Bolney (for this please see our Staff Privacy Notice).

This privacy notice will cover you if you interact with us or we process your personal information for any other reason. This privacy notice applies whether you shop with us online, are member of our wine club, participate in an event including tours organised by us, or otherwise engage with us.

This privacy notice will also cover you if you visit us online, use our website(s), or where you link to or follow our social media accounts, if you contacts us, and if you are otherwise affected by our activities to the extent not covered by our Staff Privacy Notice.  This privacy notice provides details in accordance with data protection laws about how we collect and use personal information about you, during and after your relationship with us.

As this privacy notice covers a wide range of individuals and different types of relationships and interactions with us, not all aspects of this privacy notice may apply to you depending upon the nature of your relationship with us , interactions with us and why we are processing your personal information.  If you have any queries regarding your personal information, you can contact our Data Protection Officer, Harmeet Singh Matharu, who can be contacted at [email protected] .

---

2. The controller of your personal information

For the purposes of data protection laws and this privacy notice, we are the controller of your personal information for the processing of your personal information. Being a controller of your personal information means that we are responsible for deciding how we hold and use your personal information. Our corporate details are Bolney Wine Estate Limited, a company incorporated in England and Wales with our registered office Bolney Wine Estate, Foxhole Lane, Bolney, Haywards Heath, West Sussex, England, RH17 5NB. If you have any queries regarding your personal information, you can contact Harmeet Singh Matharu, who can be contacted at [email protected]

---

3. Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during or after the period of your interactions with us..

---

4. If you have queries or concerns, just ask!

If you have any questions about this privacy notice or how we handle your personal information, please contact our Data Protection Officer, who can be contacted at [email protected] and the address included above.

---

5. Changes to this notice

We keep our privacy notice under regular review and we may update this privacy notice from time to time. The current version of this notice is available by requesting a copy from Harmeet Singh Matharu, who can be contacted at [email protected] . If there are any material changes to this privacy notice in the future, we will let you know, usually by updating the version on our main website

---

6. Data protection principles

We are committed to being transparent about how we collect and use your personal information and in meeting our data protection obligations.  Data protection laws say that the personal information we hold about you must be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.

To make sure this happens we are required under data protection laws to notify you of the information contained in this privacy notice.  It is important that you read this document before you begin interacting with us or deal with us in any way so that you understand how and why we will process your personal information.

---

7. What personal information do we collect?

In connection with your relationship or interactions with us, we may collect and process a wide range of personal information about you. This includes:

• Personal contact details such as name, title, address, email address, and telephone number(s).
• Information about your date of birth and age.
• Order and purchase history.
• Membership or subscriptions with us.
• Details of your attendance at our events or venues.
• Bank account details, financial transactions, payments.
• Any terms and conditions relating to your relationship with us.
• Any communications between ourselves and you including email communications
• Delivery details including delivery address.
• Responses to surveys, promotions and competitions.
• Records of contact or communications with our customer service teams.
• How you use our website(s) as we collect information about the pages you look at and how you use them, usernames, account details and passwords, IP addresses, entry and exit data when you look at or leave our website, details of services that may be of interest to you, online subscription information for example when you ask to receive our updates), browser related information, cookies that are set on your device by our website(s) (for more details on our cookie policy please visit this link.
• Details of services carried out by you, or products supplied by you, in connection with our relationship with you, details of your interest in and connection with any organisation which supplies any product or services to us, details of any products or services supplied to us.
• Business related information, such as where you are a sole trader, a partner or a company director or a key member of staff of a business we have a relationship with.
• Performance information related to our relationship with you or a business we have a relationship with.
• Publicly available personal information, including any which you have shared via a public platform, online or on social media and also non-public personal information where you have followed or linked to any of our social media.
• Details of your education or work history including organisations, positions, roles, responsibilities.
• Creditworthiness as we may undertake investigations in order to establish whether to enter into or continue a business relationship with you or your organisation.
• Your usage of any of our IT systems we make available to visitors to our premises, e.g. visitor Wi-Fi.
• Identification information including your driving license and/or passport and background checks.
• Details of any queries, complaints, claims, and cases involving both us and yourself including any related communications.
• Information obtained through electronic means such as swipe card records and access control systems if you visit our premises.
• Photographs, video footage, audio recordings, and other content, for example when you leave a voicemail message, or which you may provide to us.
• CCTV images if you visit any areas of our premises that are covered by our CCTV system (CCTV images relating to you will be covered by our separate privacy notice regarding our CCTV system which can be found at CCTV Privacy Notice or you can request a copy by contacting us as described in the “Contacting us” section below)
• Information from Companies House about you and non-public details of shareholdings, investments or other interests you may have and any dealings you may have in any of them.
• Any other personal information you provide to us.

We may also in some cases collect and process more sensitive special category personal information including:

• Information about your health including any medical condition, health, and sickness records, including:
• where you have a disability or medical condition for which we need to make reasonable adjustments, including where you visit our premises.
• where you inform us about any ill-health, injury, or disability.
• information about your health, for example as part of the recruitment process in relation to benefits as part of your remuneration.
• In some cases equal opportunities monitoring information, including information about your ethnic origin, political opinions, religion or philosophical beliefs, sex life, or sexual orientation.  This will usually only be where it is relevant to your recruitment or you provide it to us for some other reason.

In cases where it is relevant, we may also collect criminal records information about you, for example an offence committed by you or alleged to have been committed by you that impacts on your relationship with us or your position in an organisation regulated by us or it affects your ability to work for us.

If you are providing us with details of any other individuals they have a right to know and to be aware of what personal information we hold about them, how we collect it and how we use and may share that information.  Please share this privacy notice with them. They also have the same rights as set out in this privacy notice in relation to their personal information that we collect.

---

8. We aim not to collect personal information about children

Our website, materials, and other services we provide are not intended for use by anyone under the age of 18 years and we do not knowingly collect personal information relating to anyone under the age of 18 years old unless for some reason you provide it to us.

9. Where do we collect your personal information from?

We collect your personal information in a variety of ways and from a variety of sources as set out below:

• Often most of your personal information is collected directly from you for example through your purchases from us, your memberships with us or other through other contact with you, when we provide products or provide services to you, when you visit our premises, meetings, or other interactions with us or other personal information you provide to us.
• If you work for an organisation that has a relationship with us, then we may collect some of your personal information from them.
• If you are a client or customer of an organisation that we provide products or services to, then we may collect all personal information about you from that organisation, and not directly from you.
• From our website, other websites, the internet, social media, or other platforms including public sources of information.
• From our website(s) and information technology and communications systems, access control systems and suppliers we use in connection with them.
• From third parties appointed by you, for example any agency you work with or any financial or legal advisors.
• From third parties appointed by us, for example legal advisors appointed by us or credit reference agencies, identity or background check providers, data cleansing service providers or market/data research providers, analysis service providers
• From government or government related bodies, regulators, the police, law enforcement authorities, the security services and Disclosure and Barring Service in respect of criminal convictions.

We store personal information relating to you in a range of different places, such as information technology systems (including our email system).

---

10. What are our bases for processing your personal information?

We will only use your personal information when the law allows us to.  This means we must have one or more legal bases to use your personal information.  Most of these will be self-explanatory.  The most common legal bases which will apply to our use of your personal information are set out below:

• Where we need to perform the contract we have entered into with you which covers your relationship with us or to take steps to enter into that contract.
• Where we need to comply with a legal obligation which applies to us, for example complying with health and safety laws for visitors.
• Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.  We have set out in the section below how we use your personal information together with more details on our legitimate interests.
• Where you have given your consent.  Generally, we do not rely on or need your consent for almost all uses we make of your personal information.

Where we are processing any sensitive special category personal information about you (which covers personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning your sex life or sexual orientation) then we also need to have one or more of the following legal bases for using your personal information.

• Where we have your explicit consent to do so.
• Where it is necessary for us to comply with our obligations and exercising our rights in the field of employment law, social security law and social protection law.
• Where we need to protect your vital interests (or someone else’s vital interests).
• Where you have already made public the personal information.
• In establishing, exercising, or defending legal claims, whether those claims are against us or by us.
• Where it is necessary in the public interest.

We will not usually process any of these types of special category personal information about you, and in cases where we do process special category personal information about you it will generally be to comply with legal obligations, where you have given your consent or to establish, exercising or defending legal claims.  In some cases, more than one legal bases may apply to our use of your personal information.

Where we process criminal records information about you, then we will either do so either where we have a legitimate interest, to comply with legal obligations, or with your consent.

---

11. How will we use your personal information?

There are many ways we may need to use your personal information in the context of your relationship with us or our use of your personal information. We have set out the main uses below, and indicated the main applicable legal bases of processing, but there may be other specific uses which are linked to or covered by the uses below. We may need to process all your personal information:

• to process your order, your membership or subscription, or to maintain your account. This is necessary to enter into or perform a contract with you.
• to take payments for our products or services. This is necessary to enter into or perform a contract with you.
• to deliver products to you. This is necessary to enter into or perform a contract with you.
• to manage memberships or subscriptions with us. This is necessary to enter into or perform a contract with you, or we may have a legitimate interest to manage memberships or subscriptions.
• in connection with your attendance at our events or venues. This is necessary to enter into or perform a contract with you, or we may have a legitimate interest to deliver events or operate our venues.
• to answer your complaints or queries. We have a legitimate interest to improve the products or the services we provide and respond to your complaints or queries.
• in connection with new products and services or otherwise to improve our existing products and services. We have a legitimate interest to improve the products or the services we provide.
• to conduct direct marketing to you including conducting promotions or campaigns and competitions.  This may relate to the entry into, or performance of a contract with you either directly or indirectly, it may be in our legitimate interests, and in some cases we may rely on your consent to do this.
• to determine products and services that may be of interest to you. We have a legitimate interest to improve the products or the services we provide.
• to conduct data analytics and analysis studies and improve our business, use of our website(s) and social media which relates to us.  This will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this.
• to complete staff training. We have a legitimate interest to train our staff and to improve the products or the services we provide.
• to conduct any business or other relationship we have with you, or an organisation you work for, or an organisation of which you are a client or customer. This may relate to the entry into or performance of a contract with you or your organisation either directly or indirectly, which will be in our legitimate interests and we may also have legal obligations or be exercising a legal right to do this.  We may also, in some limited cases, rely on your consent.
• to monitor, manage, or record our relationship with you or an organisation which you work for, which may involve meetings, communications with you, decisions regarding your relationship with us.  This is necessary to enter into or perform a contract with you, or this may be in our legitimate interests to monitor, manage, or record our relationship with you or an organisation which you work for.
• to investigate misuse of your account and possible fraud. We have a legitimate interest to detect crime.
• to carry out background, identity, or other checks in relation to you and an organisation you want to register with us, or to carry out credit checks to decide whether to enter into a business relationship with you.  We have legitimate interest to conduct credit checks, or in some cases we may need to rely on your consent to do this.
• in connection with legal obligations connected to our relationship with you, for example to comply with health and safety laws when visiting our premises, to comply with data protection laws, to make filings at Companies House, to ensure equality and equal opportunities, or to invoke other legal rights.
• in connection with our need to keep and maintain proper records relating to your relationship with us or an organisation you work for and information about you which is relevant to that relationship. This is necessary to enter into or perform a contract with you, or either directly or indirectly, maintaining records will also be in our legitimate interests, and we may also have legal obligations to do this.
• to prevent, detect or prosecute criminal activity.  We have a legitimate interest to prevent or detect crime, we may also have legal obligations or be exercising a legal right to do this and it will also be in the public interest.
• to establish, bring, or defend legal claims. We may have legal obligations or be exercising a legal right to do this and processing may also be needed to establish, bring or defend legal claims.
• to ensure effective general business administration and to manage our business. This is necessary to enter into or perform a contract with you, or operating our business will be in our legitimate interests.
• to obtain referrals from other organisations you have worked for or with. As well as relating to the entry into or performance of a contract with you either directly or indirectly, this will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this.
• to monitor any use you make of our information and communication systems and our website and social media accounts to ensure compliance with our information technology policies, ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution and also to monitor your use of our website and social media.  As well as relating to the entry into or performance of a contract with you either this will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this.  In relation to social media, you may also have already made the personal information public.
• to carry out market research, so that we can better understand the customers we supply products or services to. We have a legitimate interest to improve the products or the services we provide.

---

12. Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision about that person without any human intervention which produces legal effects concerning them or similarly significantly affects them. We do not currently use this type of automated decision making in our business in relation to you.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision making unless we have a lawful basis for doing so and we have notified you.

---

13. Who has internal access to your personal information?

Your personal information may be shared internally with our staff, including with our managers, our teams carrying out training, products or services, the technology team and senior staff in the business area involved in your relationship with us, or our other staff or workers where access to your personal information is necessary for the performance of their roles.  We only provide access to your personal information to those of our staff or workers who need to have access to your personal information.

---

14. Who do we share your personal information with externally?

When using your personal information, we may share it with third parties, but we will only do so when it is appropriate and we have a legal basis for doing so. Third parties that we may share your personal information with include:

• Any third party approved by you where we need to do so to enter into or perform a contract with you.
• Companies in the same group of companies as us for the purpose of providing a product or service to you.
• Delivery companies to deliver products that you have ordered from us.
• Payment providers to take payment for our products or services.
• Credit reference agencies so that we can assess your creditworthiness and to verify your identity.
• An organisation you work for or that represents you if that organisation has a relationship with us.
• Customers of our business, usually when you have a relationship with them as a member of their staff or as a client or customer of theirs.
• Service or product providers to our business, for example information technology services suppliers, credit reference agencies, marketing and public relations service providers.
• If you represent one of our suppliers, to other companies in the supply chain so they can contact you about any supply chain issues.
• Third parties that process personal information on our behalf and in accordance with our instructions, usually suppliers of services to us.
• Purchasers, investors, funders, and their advisers of our business if we sell all or part of our business, assets, or shares or where we restructure our business whether by merger, re-organisation, or in another way.
• Our legal and other professional advisers, including our auditors or any professional advisors appointed by you, for example a legal advisor or an agency you work with.
• Third party record keepers, for example to make filings at Companies House.
• Social media and other online platforms where relevant to our relationship with you.
• Governmental bodies, HMRC, other regulators (including the FCA and sometimes the ICO), police, law enforcement agencies, security services, courts/tribunals.
• We use Google Analytics which sets cookies to collect information about how visitors use our website.  For more details on our cookie policy please visit [Cookie Policy link]. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website and blog, where visitors have come to the website from, and the pages they visited.  To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.
• We may also use other service providers for marketing purposes, such as Mailchimp and Webex.

We do not disclose personal information to anyone else except as set out above unless we are legally entitled to do so.

---

15. International transfers

It is sometimes necessary to share your personal information outside of the UK and the European Economic Area (the EEA).  This will typically occur when service providers to our business are located outside the EEA.  These transfers are subject to special rules under data protection laws.

 

If we transfer your personal information outside of the UK and the EEA, we will ensure that the transfer will be compliant with data protection laws and all personal information will be secure.  Our standard practice is to assess the laws and practices of the destination country and relevant service provider and the security measures that are to be taken as regards the personal information in the overseas location; alternatively, we use standard data protection clauses. This means that when a transfer such as this takes place, you can expect a similar degree of protection in respect of your personal information.

Our directors and other key staff working for us may, in limited circumstances, access personal information from outside of the UK and EEA if they are on holiday abroad outside of the UK or EEA.  If they do so they will be using our security measures and the same legal protections will apply that would apply to accessing personal information from our premises in the UK.

In limited circumstances the people to whom we may disclose personal information may be located outside of the UK and EEA and we will not have an existing relationship with them, for example a foreign police force or a foreign regulator.  In these cases, we will impose any legally required protections to the personal information as required by law before it is disclosed.

If you would like any more details about how we protect your personal information in relation to international transfers, then please contact Harmeet Singh Matharu, who can be contacted at [email protected] .

---

16. How do we protect your personal information?

We are committed to keeping your personal information safe and secure and so we have numerous security measures in place to protect against the loss, misuse, and alteration of information under our control.  Our security measures include:

• Encryption of personal information where appropriate.
• Regular planning and assessments to ensure we are ready to respond to cyber security attacks and data security incidents.
• Regular penetration testing of systems.
• Security controls which protect our information technology systems infrastructure and our premises from external attack and unauthorised access.
• Aiming to use best in class security systems implemented across our networks and hardware to ensure access and information are protected.
• Regular backups of information technology systems data.
• Internal policies setting out our information security rules for our staff.
• Regular training for our staff to ensure staff understand the appropriate use and processing of personal information.
• Where we engage third parties to process personal information on our behalf, they do so on the basis of our written instructions, they are under a duty of confidentiality, and are obliged to implement appropriate technical and organisational measures to ensure the security of personal information.

We take information security very seriously and will use all reasonable endeavours to protect the integrity and security of the personal information we collect about you.

---

17. For how long do we keep your personal information?

The duration for which we retain your personal information will differ depending on the type of information and the reason why we collected it from you.  We will hold your personal information for the duration of your relationship with us or the reason we were processing it, and then usually for a further period of up to 6 years after that. However, for some business relationships, for example those relating to land or our leases of premises, we may need to keep records for 12 years or more.

Whichever time period normally applies, in some cases we may need to keep your personal information for longer, for example if it is still relevant to a dispute or legal case or claim or a regulatory matter.

We will not retain your personal information for longer than necessary for the purposes for which it was collected, and it is being used. We do not guarantee to retain your personal information for the whole of the periods set out above; they are usually the maximum period, and in some cases we may keep your personal information for a much shorter period.

For more information please contact Harmeet Singh Matharu, [email protected] .

---

18. Your rights

As an individual whose personal information we collect and process, you have a number of rights.  You may:

• Withdraw any consent you have given to us, although this will only be relevant where we are relying on your consent as a basis to use your personal information, but it is an absolute right. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose or purposes for which you originally gave your consent, unless we have another legal basis for doing so, but withdrawing consent will not affect use that has already happened.
• Request details about how your personal information is being used.  This right is linked with the right of access mentioned below.
• Request access and obtain details of your personal information that we hold (this is commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you.  This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information.  This means that you can ask us to delete or stop processing your personal information, for example where we no longer have a reason to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (set out below).  The right to have data erased does not apply in all circumstances.
• Object to the processing of your personal information where we are relying on a legitimate interest (ours or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Object to direct marketing where we are processing your personal information for direct marketing purposes.  This is an absolute right.
• Request the restriction of processing of your personal information. This enables you to ask us to stop processing your personal information for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing your personal information.
• Request the transfer of your personal information to another party in certain circumstances.
• Object to certain automated decision-making processes using your personal information.

You should note that some of these rights, for example the right to require us to transfer your personal information to another service provider or the right to object to automated decision making, may not always apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored by us.  For example, we do not use automated decision-making in relation to your personal information which has legal or other significant effects for you.  However, some of your rights have no conditions attached, so your right to withdraw consent or object to processing for direct marketing are absolute rights.

If you would like to exercise any of these rights, please contact Harmeet Singh Matharu, [email protected] .

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).  This is another appropriate security measure to ensure that personal information is not disclosed to any person or dealt with by a person who has no right to do so.

Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a complex area of law.  More information about your legal rights can be found on the ICO’s website at https://ico.org.uk/for-the-public/.

---

19. Complaints

We hope you don’t have any reason to complain, and we will always try to resolve any issues you have. You always have the right to make a complaint at any time about how we deal with your personal information or your rights in relation to your personal information and we encourage you to contact us to resolve your complaint first. Our data protection complaints policy can be obtained by emailing our Data Protection Officer at [email protected] .

You can also make a compliant in writing to the ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom or you can go to https://ico.org.uk/make-a-complaint/

---

20. Contacting us

If you have any queries regarding our use of your personal information or this privacy notice then please contact [email protected] or write to us at our business address Bolney Wine Estate, Foxhole Lane, Bolney, Haywards Heath, West Sussex, England, RH17 5NB.