Information on the processing of personal data

Dear User:

In accordance with applicable laws regarding the protection of personal information, we inform you that your personal data (hereinafter referred to as "Data") are collected to provide the services you are requesting (hereinafter referred to as "Services"). The Data is processed with and without the aid of electronic tools, based on logic and procedures consistent with the purposes indicated below and in compliance with Regulation (EU) 2016/679 (“GDPR”), including confidentiality and safety.

The Data will be processed by the company, as Data Controller (“Owner” or “Company”).

  1. Purpose of processing and consequences in case of refusal to provide your personal data

The Company collects the Data that you provide when making detailed reports of (i) illicit conduct or violations of the Company's organization models of which you become aware in the context of the employment relationship in compliance with the law (law 30 November 2017, n. 179); (ii) behavior contrary to the ethical principles of the Constellation Brands, Inc. Group in order to verify and guarantee the correct and complete application of the Company policies and implement subsequent activities consequent to said checks, as well as in order to comply with specific obligations required by law, regulations and applicable legislation with reference to precise internal control needs of the Company and monitoring of corporate risks, specifically dictated by law; (iii) conduct determined within the Whistleblowing Policy (in point 5.2).

The provision of Data is optional; however, in case of refusal, it will be more difficult or, if necessary, not possible to follow up on the activities relating to the report.

The Company will process the following Data and information you provide when you make a non-anonymous report: (i) your name and contact details (unless the report is made anonymously); (ii) the name and Data of other people provided in the report (e.g. description of functions and contact information); and (iii) a description of the alleged infringement, as well as a description of the circumstances of the case. Please note that depending on the laws in force in the country where the reporter is resident, reporting anonymously may not be permitted; however, your Data will be treated confidentially and will only be disclosed in accordance with the rules set out below.

Only where relevant to the matter reported and only to the extent permitted by applicable law and/or the need to ascertain, exercise or defend a right in court, can data belonging to special categories be processed (e.g. personal data revealing racial origin or ethnic, political opinions, religious or philosophical beliefs, or trade union membership, as well as processing genetic data, biometric data intended to uniquely identify a natural person, data relating to the health or sexual life or sexual orientation of the person). If such data is not relevant for the purposes of reporting or is too late, it will be promptly deleted and will not be processed further.

  1. Legal bases of processing

The Company bases the processing of your Data on the following legitimacy bases:

  • Compliance with legal obligations (art. 6, paragraph 1, letter c of the GDPR): to comply with relevant laws and regulatory requirements and to respond to legitimate requests, judicial orders and judicial proceedings.
  • Legitimate interests (art. 6, paragraph 1, letter f, of the GDPR): to realize a legitimate interest based on an assessment of the interests of the Data Controller, the interested party and other fundamental interests.
  • Consent (art. 6, paragraph 1, letter b, of the GDPR): the identity of the reporting person and any other information from which such identity can be deduced, directly or indirectly, cannot be revealed without the express consent of the same person reporting person, to persons other than those competent to receive or follow up on the reports, expressly authorized to process such Data. Express consent is also required when using the voice messaging channel.
  1. Communication of your personal data to third parties

In compliance with the GDPR, the Data concerning you acquired from time to time can be used to update and correct the information previously collected.

Data are accessible to duly authorized Company personnel based on criteria of necessity and are communicated to third parties in the following cases: (i) when communication is required by laws and regulations applicable to legitimate third party recipients, such as authorities and public bodies for their respective institutional purposes, e.g. anti-money laundering legislation, judicial authority; (ii) communication to third parties in the event of extraordinary operations (e.g. mergers, acquisitions, company transfer, etc.).

Your Data may also be communicated to third-party suppliers who support us in providing the Services necessary for the management of reports, duly appointed as Data Processors in accordance with the provisions of the GDPR.

Finally, for the above purposes, the companies of the Constellation Brands, Inc. Group located in Italy may access your Data, as independent Data Controller, if the reports concern their employees.

  1. Transfers of personal data outside the European Union

Some of the Constellation Brands, Inc. Group companies receiving your Data are also established outside the European Union, in countries that do not guarantee an adequate level of protection for personal data pursuant to the GDPR. The Data Controller adopts the necessary precautions for a legitimate transfer of Data (e.g. through the implementation of the Standard Contractual Clauses approved by the European Commission).

  1. Storage of personal data

Your Data are stored for the time strictly necessary to pursue the purposes for which your Data are collected and for the fulfillment of applicable legal obligations.

Furthermore, the Data will be deleted or made permanently anonymous upon achieving the purposes indicated above, except in the case where the Data Controller is required to retain the Data for a further period to comply with legal obligations.

  1. Data Controller

The Company

  • Poderi Ducali Ruffino S.r.l. Agricultural Company, with registered office in Via Formighè, 9/A, 30027 San Donà di Piave VE, Italy, email address poderiducaliruffino@ruffino.it
  • Tenute Ruffino S.r.l. Agricultural Company, with registered office in Via Poggio al Mandorlo 1, 50012 Bagno a Ripoli (Florence), Italy, e-mail address: teneruffino@ruffino.it
  • Ruffino S.r.l., with headquarters in Piazzale Ruffino n.1, 50065 Pontassieve (Florence), Italy, e-mail address: info@ruffino.it
  • Constellation Brands Europe Trading S.r.l. with headquarters in Piazzale Ruffino n.1, 50065 Pontassieve (Florence), Italy, e-mail address: info@ruffino.it

will process Data to the extent of its competence as Data Controller, for the reports received within its competence.

  1. Your rights

You can contact the Company at the addresses indicated above to obtain an updated list of our Data Processors, of the subjects to whom the Data are communicated and to exercise the rights referred to in the articles at any time. 15 ss. of the GDPR e.g. obtain confirmation of the existence or otherwise of your Data, verify its content, origin, accuracy, request integration, updating, rectification, cancellation, anonymisation, request Data portability, limitation of processing, opposition to processing for legitimate reasons, e.g. opposition to marketing activities. You have the right to withdraw your consent at any time.

The exercise of your rights as mentioned above may, in any case, be delayed, limited or excluded with motivated communication from the Owner (unless the communication could compromise the purpose of the limitation), for the time and within the limits in which this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the interested party, in order to safeguard the interests of the Data Controller related to confidentiality pursuant to law 30 November 2017, n. 179. In such cases, your rights can also be exercised through the Guarantor in the manner referred to in Article 141 of Legislative Decree 196/2003.

At any time, lodge a complaint with the competent Authority (the Italian Data Protection Authority) as required pursuant to art. 77 GDPR.