Bolney Wine Estate Limited — Privacy Notice

We are Bolney Wine Estate, and treating individuals and their personal information with respect reflects our core values as a business. This notice explains who we are, what we collect, why we collect it, and what rights you have. Whilst it is quite detailed, we believe you deserve to be fully informed.

Contents

1. Why do we have this privacy notice?
2. The controller of your personal information
3. Your duty to inform us of changes
4. If you have queries or concerns, just ask!
5. Changes to this notice
6. Data protection principles
7. What personal information do we collect?
8. We aim not to collect personal information about children
9. Where do we collect your personal information from?
10. What are our bases for processing your personal information?
11. How will we use your personal information?
12. Automated decision-making
13. Who has internal access to your personal information?
14. Who do we share your personal information with externally?
15. International transfers
16. How do we protect your personal information?
17. For how long do we keep your personal information?
18. Your rights
19. Complaints
20. Contacting us

1. Why do we have this privacy notice?

We are Bolney, and treating individuals and their personal information with respect reflects our core values as a business. We want you to know as much as possible about how we use your personal information. You and your personal information are protected by various laws and guidance, and Bolney is committed to upholding these, respecting your privacy, and keeping your information safe.

In this privacy notice, any reference to “us”, “we”, “our” or “ourselves” is a reference to Bolney (being Bolney Wine Estate Limited and its parent company, Freixenet Copestick Limited). Any reference to “you”, “your” or “yourself” refers to you as someone who has a relationship with us, has contacted us or interacted with us, or whose personal information is relevant to the work we do as a business. This privacy notice will not apply to you to the extent you are a current or past staff member or worker for Bolney (for this, please see our Staff Privacy Notice).

This privacy notice covers you if you interact with us or we process your personal information for any other reason. It applies whether you shop with us online, are a member of our wine club, participate in an event or tour organised by us, or otherwise engage with us.

It will also cover you if you visit us online, use our website(s), link to or follow our social media accounts, contact us, or are otherwise affected by our activities to the extent not covered by our Staff Privacy Notice. It provides details, in accordance with data protection laws, on how we collect and use your personal information during and after your relationship with us.

As this privacy notice covers a wide range of individuals and different types of relationships and interactions, not all aspects may apply to you depending upon the nature of your relationship with us and why we are processing your personal information. If you have any queries, you can contact our Data Protection Officer, Harmeet Singh Matharu, at [email protected].

---

2. The controller of your personal information

For the purposes of data protection laws and this privacy notice, we are the controller of your personal information. This means we are responsible for deciding how we hold and use it. Our corporate details are:

Bolney Wine Estate Limited, a company incorporated in England and Wales, with registered office at Bolney Wine Estate, Foxhole Lane, Bolney, Haywards Heath, West Sussex, England, RH17 5NB.

If you have any queries regarding your personal information, you can contact Harmeet Singh Matharu at [email protected].

---

3. Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes during or after your interactions with us.

---

4. If you have queries or concerns, just ask!

If you have any questions about this privacy notice or how we handle your personal information, please contact our Data Protection Officer at [email protected] or at the registered address above.

---

5. Changes to this notice

We keep our privacy notice under regular review and may update it from time to time. The current version is available upon request from Harmeet Singh Matharu at [email protected]. If there are any material changes in the future, we will let you know, usually by updating the version on our main website.

---

6. Data protection principles

We are committed to being transparent about how we collect and use your personal information and in meeting our data protection obligations. Data protection laws say that the personal information we hold about you must be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.

To ensure this happens, we are required by data protection laws to notify you of the information contained in this privacy notice. It is important that you read this before you begin interacting with us so that you understand how and why we will process your personal information.

---

7. What personal information do we collect?

In connection with your relationship or interactions with us, we may collect and process a wide range of personal information about you. This includes:

• Personal contact details such as name, title, address, email address, and telephone number(s).
• Information about your date of birth and age.
• Order and purchase history.
• Membership or subscriptions with us.
• Details of your attendance at our events or venues.
• Bank account details, financial transactions, and payments.
• Any terms and conditions relating to your relationship with us.
• Any communications between you and us, including email communications.
• Delivery details, including the delivery address.
• Responses to surveys, promotions, and competitions.
• Records of contact or communications with our customer service teams.
• How you use our website(s) — we collect information about the pages you look at and how you use them, usernames, account details and passwords, IP addresses, entry and exit data, details of services that may be of interest to you, online subscription information, browser-related information, and cookies set on your device. For more details, visit this page about our cookie policy.
• Details of services carried out by you or products supplied by you in connection with our relationship, and details of any products or services supplied to us.
• Business-related information, such as where you are a sole trader, a partner, a company director, or a key member of staff of a business with which we have a relationship.
• Performance information related to our relationship with you or a business with which we have a relationship.
• Publicly available personal information, including any which you have shared via a public platform, online or on social media, and non-public personal information where you have followed or linked to any of our social media.
• Details of your education or work history, including organisations, positions, roles, and responsibilities.
• Creditworthiness: We may undertake investigations to determine whether to enter into or continue a business relationship with you or your organisation.
• Your use of any of our IT systems available to visitors to our premises, e.g., visitor Wi-Fi.
• Identification information, including your driving licence and/or passport, and background checks.
• Details of any queries, complaints, claims, and cases involving both us and you, including any related communications.
• Information obtained through electronic means, such as swipe card records and access control systems, is available upon your visit to our premises.
• Photographs, video footage, audio recordings, and other content, for example, when you leave a voicemail message, or which you may provide to us.
• Information from Companies House about you, and non-public details of shareholdings, investments, or other interests you may have.
• Any other personal information you provide to us.

We may also, in some cases, collect and process more sensitive special category personal information, including:

• Information about your health, including any medical condition, health, and sickness records — for example, where you have a disability or medical condition for which we need to make reasonable adjustments (including where you visit our premises), where you inform us about any ill-health, injury or disability, or health information provided as part of a recruitment process.
• In some cases, equal opportunities monitoring information, including information about your ethnic origin, political opinions, religion or philosophical beliefs, sex life, or sexual orientation. This will usually only be where it is relevant to your recruitment or you provide it to us for another reason.

In cases where it is relevant, we may also collect criminal records information about you, for example, an offence committed by you or alleged to have been committed by you that impacts your relationship with us.

If you are providing us with details of any other individuals, they have the right to know and be aware of what personal information we hold about them, how we collect it, and how we use and may share it. Please share this privacy notice with them.

---

8. We aim not to collect personal information about children

Our website, materials, and other services we provide are not intended for use by anyone under the age of 18 years. We do not knowingly collect personal information relating to anyone under the age of 18 unless, for some reason, you provide it to us.

9. Where do we collect your personal information from?

We collect your personal information in a variety of ways and from a variety of sources, including:

• Directly from you, for example, through your purchases, memberships, or other contact with you, when we provide products or services to you, or when you visit our premises.
• From an organisation you work for, if that organisation has a relationship with us.
• From an organisation we provide products or services to, if you are their client or customer.
• From our website, other websites, the internet, social media, or other public sources of information.
• From our information technology and communications systems, access control systems, and related suppliers.
• From third parties appointed by you, for example, any agency you work with or any financial or legal advisors.
• From third parties appointed by us, for example, legal advisors, credit reference agencies, identity or background check providers, data cleansing service providers, or market research and analysis providers.
• From government or government-related bodies, regulators, the police, law enforcement authorities, the security services, and the Disclosure and Barring Service in respect of criminal convictions.

We store personal information relating to you in a range of different places, including information technology systems such as our email system.

---

10. What are our bases for processing your personal information?

We will only use your personal information when the law allows us to. The most common legal bases which apply to our use of your personal information are:

• Where we need to perform the contract we have entered into with you, or to take steps to enter into that contract.
• Where we need to comply with a legal obligation that applies to us, for example, health and safety laws for visitors.
• Where it is necessary for legitimate interests pursued by us or a third party, and your interests and fundamental rights do not override those interests.
• Where you have given your consent. Generally, we do not rely on your consent for most uses we make of your personal information.

Where we process any sensitive special category personal information about you (covering personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning sex life or sexual orientation), we also need one or more of the following legal bases:

• Where we have your explicit consent to do so.
• Where it is necessary for us to comply with our obligations and exercise our rights in the field of employment law, social security law, and social protection law.
• Where we need to protect your vital interests (or someone else’s vital interests).
• Where you have already made the personal information public.
• In establishing, exercising, or defending legal claims, whether those claims are against us or by us.
• Where it is necessary in the public interest.

We will not usually process special category personal information about you. Where we do, it will generally be to comply with legal obligations, where you have given your consent, or to establish, exercise, or defend legal claims. Where we process criminal records information about you, we will do so where we have a legitimate interest, to comply with legal obligations, or with your consent.

---

11. How will we use your personal information?

There are many ways we may need to use your personal information in the course of our relationship with you. The main uses are set out below, along with the applicable legal bases.

• To process your order, membership or subscription, or to maintain your account. Necessary to enter into or perform a contract with you.
• To take payments for our products or services. Necessary to enter into or perform a contract with you.
• To deliver products to you. Necessary to enter into or perform a contract with you.
• To manage memberships or subscriptions with us. Necessary to perform a contract, or legitimate interest.
• In connection with your attendance at our events or venues. Necessary to perform a contract, or legitimate interest to deliver events or operate our venues.
• To answer your complaints or queries. Legitimate interest to improve the products or services we provide.
• In connection with new products and services or to improve our existing products and services. Legitimate interest to improve the products or services we provide.
• To conduct direct marketing, including promotions, campaigns, and competitions. May relate to a contract, legitimate interests, or, in some cases, your consent.
• To determine products and services that may be of interest to you. Legitimate interest to improve the products or services we provide.
• To conduct data analytics and analysis studies, and improve our business, website(s), and social media. Legitimate interests, and we may also have legal obligations or be exercising a legal right.
• To complete staff training. Legitimate interest to train our staff and improve the products or services we provide.
• To conduct any business or other relationship with you, or an organisation you work for. May relate to a contract, legitimate interests, legal obligations, or, in limited cases, your consent.
• To monitor, manage, or record our relationship with you or an organisation you work for. Necessary to perform a contract, or legitimate interest.
• To investigate misuse of your account and possible fraud. Legitimate interest to detect crime.
• To carry out background, identity, or credit checks in relation to you or an organisation you want to register with us. Legitimate interest to conduct checks, or in some cases, your consent.
• In connection with legal obligations relating to our relationship with you, for example, health and safety, data protection, Companies House filings, or equality obligations.
• To keep and maintain proper records relating to your relationship with us. Necessary to perform a contract, legitimate interests, or legal obligations.
• To prevent, detect, or prosecute criminal activity. Legitimate interest to prevent or detect crime, legal obligations, or public interest.
• To establish, bring, or defend legal claims. Legal obligations, exercising a legal right, or a necessity to establish, bring, or defend claims.
• To ensure effective general business administration and manage our business. Necessary to perform a contract, or a legitimate interest in operating our business.
• To obtain referrals from other organisations you have worked for or with. May relate to a contract, legitimate interests, or legal obligations.
• To monitor use of our information and communications systems, website, and social media accounts to ensure compliance and network security. Legitimate interests, legal obligations, or exercising a legal right.
• To conduct market research to better understand the customers we supply with products or services. Legitimate interest to improve our products or services.

---

12. Automated decision-making

Automated decision-making occurs when an electronic system uses personal information to make a decision about a person without any human intervention, producing legal effects or otherwise significantly affecting them. We do not currently use this type of automated decision-making in our business in relation to you, and you will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and have notified you.

---

13. Who has internal access to your personal information?

Your personal information may be shared internally with our staff, including managers, teams carrying out training, product or service teams, the technology team, and senior staff in the business area involved in your relationship with us. We provide access only to staff members who need it to perform their roles.

---

14. Who do we share your personal information with externally?

When using your personal information, we may share it with third parties, but only when appropriate and we have a legal basis to do so. Third parties we may share your personal information with include:

• Any third party approved by you, where we need to do so, to enter into or perform a contract with you.
• Companies in the same group as us for the purpose of providing a product or service to you.
• Delivery companies will deliver the products that you have ordered from us.
• Payment providers to take payment for our products or services.
• Credit reference agencies to assess your creditworthiness and verify your identity.
• An organisation you work for or that represents you, if that organisation has a relationship with us.
• Customers of our business usually have a relationship with us as a member of their staff or as their client or customer.
• Service or product providers to our business, for example, IT services suppliers, credit reference agencies, and marketing and public relations service providers.
• If you represent one of our suppliers, to other companies in the supply chain so they can contact you about any supply chain issues.
• Third parties that process personal information on our behalf and in accordance with our instructions, usually service suppliers.
• Purchasers, investors, funders, and their advisers, if we sell all or part of our business, assets, or shares, or where we restructure our business.
• Our legal and other professional advisers, including our auditors and any professional advisors appointed by you.
• Third-party record keepers, for example, make filings at Companies House.
• Social media and other online platforms where relevant to our relationship with you.
• Governmental bodies, HMRC, other regulators (including the FCA and sometimes the ICO), police, law enforcement agencies, security services, and courts or tribunals.
• We use Google Analytics, which sets cookies to collect information about how visitors use our website. The cookies collect information in an anonymous form, including the number of visitors, where visitors have come from, and the pages they visited. We use this information to compile reports and improve the website. For more details on our cookie policy, please visit our Use of Cookies. To opt out of being tracked by Google Analytics across all websites, visit tools.google.com/dlpage/gaoptout.
• We may also use other service providers for marketing purposes, such as Mailchimp and Webex.

We do not disclose personal information to anyone else except as set out above, unless we are legally entitled to do so.

---

15. International transfers

It is sometimes necessary to share your personal information outside of the UK and the European Economic Area (EEA). This will typically occur when service providers to our business are located outside the EEA. These transfers are subject to special rules under data protection laws.

If we transfer your personal information outside the UK and the EEA, we will ensure the transfer complies with data protection laws and that all personal information remains secure. Our standard practice is to assess the laws and practices of the destination country and relevant service provider, along with the security measures to be taken; alternatively, we use standard data protection clauses.

Our directors and other key staff may, in limited circumstances, access personal information from outside the UK and the EEA when travelling abroad. If they do so, they will be using our security measures, and the same legal protections will apply as would apply to accessing personal information from our UK premises.

In limited circumstances, people to whom we may disclose personal information may be located outside of the UK and EEA, and we will not have an existing relationship with them — for example, a foreign police force or a foreign regulator. In these cases, we will impose any legally required protections before disclosure.

If you would like any more details about how we protect your personal information in relation to international transfers, please contact Harmeet Singh Matharu at [email protected].

---

16. How do we protect your personal information?

We are committed to keeping your personal information safe and secure, and so we have numerous security measures in place to protect against loss, misuse, and alteration of information under our control. Our security measures include:

• Encryption of personal information where appropriate.
• Regular planning and assessments to ensure we are ready to respond to cybersecurity attacks and data security incidents.
• Regular penetration testing of systems.
• Security controls which protect our IT systems infrastructure and our premises from external attack and unauthorised access.
• Best-in-class security systems are implemented across our networks and hardware to ensure access and information are protected.
• Regular backups of IT systems data.
• Internal policies outlining our information security rules for staff.
• Regular training for our staff to ensure they understand the appropriate use and processing of personal information.
• Where we engage third parties to process personal information on our behalf, they do so on the basis of our written instructions, are under a duty of confidentiality, and are obliged to implement appropriate technical and organisational measures to ensure the security of personal information.

We take information security very seriously and will use all reasonable endeavours to protect the integrity and security of the personal information we collect about you.

---

17. For how long do we keep your personal information?

The duration for which we retain your personal information will differ depending on the type of information and the reason why we collected it. We will hold your personal information for the duration of your relationship with us, and then, usually, for a further period of up to 6 years. However, for some business relationships — for example, those relating to land or our premises leases — we may need to keep records for 12 years or more.

In some cases, we may need to keep your personal information for longer, for example, if it is still relevant to a dispute, legal case, claim, or regulatory matter. We will not retain your personal information for longer than necessary for the purposes for which it was collected. The periods set out above are usually the maximum, and in some cases, we may keep your personal information for a much shorter period.

For more information, please contact Harmeet Singh Matharu at [email protected].

---

18. Your rights

As an individual whose personal information we collect and process, you have a number of rights. You may:

• Withdraw consent you have given to us. Once we have received notification of withdrawal, we will no longer process your personal information for the purpose or purposes for which you originally gave your consent, unless we have another legal basis for doing so. Withdrawing consent will not affect use that has already happened.
• Request details about how your personal information is being used. This right is linked with the right of access mentioned below.
• Request access to the personal information we hold about you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information corrected.
• Request erasure of your personal information. You can ask us to delete or stop processing your personal information, for example where we no longer have a reason to process it. The right to erasure does not apply in all circumstances.
• Object to processing where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground.
• Object to direct marketing in which we process your personal information for direct marketing purposes. This is an absolute right.
• Request restriction of processing. This enables you to ask us to suspend the processing of your personal information for a period if the data is inaccurate or there is a dispute over whether your interests override our legitimate grounds for processing.
• Request transfer of your personal information to another party in certain circumstances.
• Object to automated decision-making processes using your personal information.

Some of these rights may not always apply as they have specific requirements and exemptions. For example, we do not use automated decision-making regarding your personal information that has legal or other significant effects on you. However, your right to withdraw consent or object to processing for direct marketing is an absolute right.

If you would like to exercise any of these rights, please contact Harmeet Singh Matharu at [email protected]. We may need to request specific information from you to help us confirm your identity before we can action your request.

More information about your legal rights is available on the ICO’s website at ico.org.uk/for-the-public/.

---

19. Complaints

We hope you don’t have any reason to complain, and we will always try to resolve any issues you have. However, you always have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) about how we deal with your personal information or your rights in relation to it.

You can make a complaint in writing to the ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom, or online at ico.org.uk/make-a-complaint/.

---

20. Contacting us

If you have any queries regarding our use of your personal information or this privacy notice, please contact us at [email protected] or write to us at Bolney Wine Estate, Foxhole Lane, Bolney, Haywards Heath, West Sussex, England, RH17 5NB.