Privacy Policy

A. GENERAL PART

A.1. USER DATA COLLECTION AND PROCESSING

Within the scope of Sogrape's App ("Application") and the services and communications provided therein, Sogrape Vinhos, S.A., with the corporate taxpayer number 500271615, with registered office at Lugar de Aldeia Nova, 4430-761 Vila Nova de Gaia, as the controller (hereinafter referred to as "Sogrape"), requests the User to provide personal data, i.e., the information provided by the User that allows Sogrape to identify and/or contact an individual ("Personal Data").

Personal Data collected and processed are name, email address, date of birth, and User country to use the Sogrape's Application.

When collecting Personal Data, Sogrape provides the User with detailed information on the nature of the data collected and the purpose and processing carried out concerning the Personal Data, by consulting this Privacy Policy.

Additionally, Sogrape collects and handles information about your equipment, as well as information about the pages you visit within the Application ("Usability Information"). We use this information only to improve the quality of your visit to our Application.

Usability Information and Personal Data are referred to in this Privacy Policy as "User Data".

A.2. PROCESSORS

In the context of processing the User Data, Sogrape may resort to third parties, subcontracted by it, to process the User Data on behalf of Sogrape, in strict compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) and the Portuguese Data Protection Act (Law no. 58/2019, 8 August), as well as this Privacy Policy.

Considering the purposes of this Application to prevent counterfeiting, traceability of Barca Velha product, and consumer loyalty, Sogrape uses the National Press - Casa da Moeda, S.A. for the development and management of the Application, as well as is responsible for the production of the authenticity seals to be placed on the bottles of Barca Velha with information about the brand and the product.

All Processors may not transmit the User Data to other entities without Sogrape's prior written authorization. Sogrape undertakes to subcontract only those entities that provide sufficient guarantees for implementing the appropriate technical and organizational measures to ensure the defense of the User's rights. All Processors are bound to Sogrape through a written agreement in which the object and duration of the processing, nature, and purpose of the processing, the type of Personal Data, the categories of data subjects, and the rights and obligations of the Parties are regulated.

A.3 DATA COLLECTION CHANNELS

Sogrape may collect data directly (i.e., directly from the User) or indirectly (i.e. via partner entities or third parties). Such collection may be done through the following channels:

Direct collection: through the Application;
Indirect collection: through partners or group companies and official entities.

B. GENERAL PRINCIPLES RELATING TO PROCESSING OF USER DATA

In terms of the principles relating to processing of personal data, Sogrape undertakes to ensure that the User Data processed are:

Subject to a lawfully, fairly and in a transparent manner in relation to the User;
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Data processing carried out by Sogrape is lawful only if and to the extent that at least one of following applies:

The User has given consent to the processing of his or her personal data for one or more specific purposes of the Application, for example for georeferencing (taking into account that the data are anonymous and intended for statistical processing only);
The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract under the services provided by the Application;
The processing is necessary for compliance with a legal obligation to which Sogrape is subject;
The processing is necessary in order to protect the vital interests of the User or of another natural person;
The processing is necessary for the purposes of the legitimate interests pursued by Sogrape or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data).

Sogrape undertakes to ensure that User Data is only processed under the conditions cited above and respecting the principles mentioned above.

When processing of the User Data is performed by Sogrape based on the User’s consent, the User has the right to withdraw his/her consent at any time. Such withdrawal of the consent, does not compromise the lawfulness of processing carried out by Sogrape, based on the consent previously given by the User.

The period of time, which the data is filed and stored, varies according to the purpose for which the information is being processed. here are legal requirements that require the data to be preserved for a minimum period of time. Thus, and where there is no specific legal obligation, the data will be stored and kept only for the minimum period necessary for the purposes that lead to their collection or subsequent processing, which at the end of the period will be deleted.

B.1. PURPOSES OF USER DATA PROCESSING

Sogrape uses the User Data for the following purposes:

Promotion of Barca Velha brand and product;
Registration and creation of User account in the Application;
Access to the Reserved Area of the Application;
Reading of the authenticity seal applied to the bottle Barca Velha;
Sogrape Group promotional and institutional newsletters;
Contacts and communications management;
Statistical analysis to assess the performance of the Application.

The User Data collected by Sogrape are not shared with third parties without the consent of the User, except for the situations mentioned below. Given the applicable legal terms, Sogrape may transmit or communicate the User Data to other entities, without these qualifying as processors (cf. point A.2 . of this Privacy Policy) if such transmission or communication is necessary within the framework of the relationship established between the User and Sogrape, or for pre-contractual arrangements at the request of the User, or if it is required for the fulfillment of a legal obligation to which Sogrape is subject or if it is necessary for pursuing its legitimate interests, within the framework of the grounds of legitimacy mentioned in this Privacy Policy.

B.2. TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES IMPLEMENTED

In order to guarantee the security of the User Data and the maximum confidentiality, Sogrape processes the information provided in an absolutely confidential manner, in accordance with our internal security and confidentiality policies and procedures, which are updated periodically as required, as well as the terms and conditions legally set out.

Bases in the nature, scope, context and purpose of data processing, as well as the risks arising from the processing of the rights and freedoms of the User, Sogrape undertakes to apply, when defining the method and timing of handling the data, the appropriate technical and organizational measures necessary for the protection of User Data and compliance with legal requirements.

It also undertakes to ensure that, by default, only data that are necessary for each specific purpose are processed and that such data are not made available without human intervention to an indeterminate number of people.

Sogrape adopts the following general security measures:

Regular audits to identify the effectiveness of the technical and organizational measures implemented;
Awareness and training of personnel involved in data processing operations;
The pseudonymisation and encryption of personal data;
Mechanisms capable of ensuring the to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Mechanisms capable to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

B.3. INTERNATIONAL TRANSFERS

Personal data collected and used by Sogrape are not made available to third parties established outside the European Union. If, in the future, such a transfer takes place for the reasons mentioned above, Sogrape undertakes to ensure that the transfer complies with the applicable legal provisions, regarding the country’s adequacy decision with respect to data protection and the requirements applicable to such transfers.

C. USER RIGHTS (DATA SUBJECTS)

C.1. PROCEDURES FOR THE EXERCISING OF USER RIGHTS

The right of access, rectification, erasure, restriction of processing, to object and to data portability can be exercised by the User through the e-mail privacy@sogrape.pt.

Sogrape will respond in writing (including by electronic means) to the User’s request within a maximum period of one month from the receipt of the request, except in particularly complex cases, for which this period may be extended up to two months.

Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, Sogrape may charge a reasonable fee based on administrative costs, or refuse to act on the request.

C.2. DATA BREACH

In legal terms, the communication to the User shall not be required if any of the following conditions are met:

Sogrape has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
Sogrape has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize; or
It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the User are informed in an equally effective manner.

D. FINAL PART

D.1 CHANGES TO PRIVACY POLICY

Sogrape reserves the right to make changes to this Privacy Policy at any time. In the case of adjustment to the Privacy Policy, the date of the most recent change will be available at the top of this page. If the change is substantial, a notice will be placed on the Application.

D.2 APPLICABLE LAW AND LEGAL JURISDICTION

The Privacy Policy, as well as the collection, processing or transmission of User Data are all governed by the provisions of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, and by the laws and regulations applicable in Portugal.

Any litigation arising from the validity, interpretation or implementation of the Privacy Policy, or related to the collection, processing or transmission of User Data, must be submitted exclusively to the jurisdiction of Sogrape’s headquarters, without prejudice to mandatory legal rules.