Doing business in a global economy requires Constellation Brands, Inc. and its subsidiaries worldwide (“CBI” or the “Company”) to comply with a number of different laws and regulations governing the treatment of Personal Information of our employees, customers, or any other persons. This Global Privacy Program Policy (this “Policy”) sets forth Company-wide principles for how CBI handles Personal Information. Protecting the confidentiality and integrity of Personal Information is a critical responsibility, and compliance with this Policy is mandatory. The purpose of the Policy is to: (1) define Personal Information and Sensitive Personal Information; (2) establish general principles for protecting Personal Information; and (3) assign accountability for protection of Personal Information.
This Policy applies to all CBI employees (full-time, part-time and temporary), agents, distributors, and representatives, including any contractors or third-party providers of services to CBI (“Third-Party Service Providers”) who have access to Personal Information CBI has collected or otherwise has in its possession. This Policy applies to all Personal Information collected, maintained, transmitted, stored, retained, or otherwise used by CBI regardless of the media on which that information is stored and whether relating to employees, customers, or any other person.
Individual regions, countries, states, provinces, or other governmental bodies may impose additional and/or more restrictive or proscriptive requirements. Those subject to this Policy who are operating in and subject to the laws of those jurisdictions will comply with applicable laws regarding privacy and data protection, and additional policies applicable to those departments or jurisdictions (or regions) may be implemented to manage that compliance.
3. ROLES AND RESPONSIBILITIES:
The Global Privacy Lead and the Information Security and Privacy Steering Committee review privacy-related policies, practices, and, upon request, training materials established by the departments.
The Information Security and Privacy Steering Committee is an internal, cross-functional governance committee, comprised of the Global Privacy Lead and the Chief Information Security Officer (“CISO”) in addition to the others listed in the Information Security and Privacy Steering Committee Charter.
• Data Subject – The term “Data Subject” means the person about whom Personal Information is collected.
• Personal Information – The term “Personal Information” means any information that identifies or can be used to identify or authenticate an individual. Examples of Personal Information include, but are not limited to:
- Telephone numbers;
- E-mail addresses;
- Employee identification numbers;
- IP addresses;
- Device IDs;
- Geolocation data;
- User names, log-in names or handles;
- Consumer purchase histories; or
- Sensitive Personal Information
• Sensitive Personal Information – The term “Sensitive Personal Information” means Personal Information that if lost, compromised, accessed, or improperly disclosed could result in harm, embarrassment, inconvenience, or unfairness to an individual and that therefore is subject to heightened protections under applicable laws or may be covered by applicable data breach notification laws or reporting requirements. Examples of Sensitive Personal Information include, but are not limited to:
- An individual’s government-issued identification number, including a social security number (or foreign equivalent), driver’s license number, passport number, or state or tribe-issued identification number;
- Financial account numbers, and credit or debit card numbers (with or without any required security code, access code, personal identification number or password that would permit access to an individual’s financial account);
- Biometric (such as electronic fingerprint or retinal scans);
- Medical, health, or health insurance information;
- Account passwords or PINs (clear text or hashed) or responses to security questions;
- Dates of birth (in conjunction with name or other identifying information);
- eSignatures/digital signatures;
- Genetic information;
- Criminal history or background;
- Race and ethnic origin;
- Sexual life or orientation;
- Political affiliation or opinions;
- Philosophical beliefs; or
- Trade union membership.
In most jurisdictions, the law will provide for the types of information that are subject to heightened protection. If you have any questions about whether any Personal Information qualifies as Sensitive Personal Information, you should contact the Global Privacy Lead at [email protected].
Choice and Consent. You must describe the choices available to the Data Subject related to the collection and use of her/his Personal Information and, where necessary, obtain consent with respect to the collection, use, and disclosure of Personal Information. Where consent is necessary, the type of consent required (opt-in vs. opt-out) may depend on the nature of the Personal Information and the use of that information by the Company, as well as the jurisdiction in which the Company and/or the Data Subject are located.
You must retain Personal Information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately dispose of such information, as outlined in the Records Management Policy (translations of such policy in certain languages are also available on OpenBar). Personal Information no longer retained must be anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access.
Data Subject Rights. Data Subjects have rights when it comes to how their Personal Information is handled. These rights may vary depending on the applicable jurisdiction (both of the Company entity and of the Data Subject) and may include: (1) the right to know what Personal Information the Company maintains about the individual and/or with whom the Company has shared the Personal Information and for what purposes; (2) the right to access or correct the Personal Information; or (3) the right to delete the Personal Information. All requests or complaints from Data Subjects regarding the handling of Personal Information should be immediately forwarded to the Global Privacy Lead at pr[email protected], who will direct the response to the Data Subject.
Security for Privacy. You must take appropriate steps to protect Personal Information against loss, unauthorized access (both physical (i.e., limit access to buildings, rooms, areas, and information technology assets) and logical (i.e., limit access to computer networks, system files, and data)) and unauthorized disclosure. You must exercise particular care in protecting Sensitive Personal Information from loss, unauthorized access, and unauthorized disclosure. CBI’s Information Security Policy and related standards and guidelines describe the measures to be taken to safeguard Personal Information.
6. SECURITY INCIDENTS:
A “Security Incident” is any compromise of the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards the Company or a Third-Party Service Provider has put in place to protect Personal Information that results in or could result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.
If you know or suspect that a Security Incident has occurred, immediately notify the Crisis Coordinator via [email protected] or 585-678-7926. The Crisis Coordinator will follow the Crisis Management Plan and the Information Security Incident Response Procedure. You should preserve all evidence relating to the potential Security Incident and not attempt to investigate the matter yourself unless otherwise directed by the Crisis Coordinator.
7. REQUIRED TRAINING:
All CBI personnel who have access to Personal Information must be aware of and trained on this Policy and the appropriate treatment of Personal Information.
8. RELATED POLICIES, STANDARDS AND PROCEDURES:
|Document Revision||Document Number||Document Name|
|Use of Employment Information Policy|
|Records Management Policy|
|Information Security and Privacy Vendor Management Policy|
|Information Security Incident Response Procedure|
9. APPROVED BY:
Tiffany De Liberty SVP, General Counsel & Corporate Compliance Officer
|Revision||Date Revised||Reason Revised|
|R-1.0||May 30, 2018||Initial Approval|
|R-1.1||March 4, 2019||Revisions to align with GAPP framework and other internal policies and procedures|