Global Privacy Policy

 

GLOBAL PRIVACY POLICY

1. PURPOSE:
Doing business in a global economy requires Constellation Brands, Inc. and its subsidiaries worldwide (“CBI” or the “Company”) to comply with a number of different laws and regulations governing the treatment of Personal Information of our employees, customers, or any other persons. This Global Privacy Program Policy (this “Policy”) sets forth Company-wide principles for how CBI handles Personal Information. Protecting the confidentiality and integrity of Personal Information is a critical responsibility, and compliance with this Policy is mandatory. The purpose of the Policy is to: (1) define Personal Information and Sensitive Personal Information; (2) establish general principles for protecting Personal Information; and (3) assign accountability for protection of Personal Information.

2. SCOPE:
This Policy applies to all CBI employees (full-time, part-time and temporary), agents, distributors, and representatives, including any contractors or third-party providers of services to CBI (“Third-Party Service Providers”) who have access to Personal Information CBI has collected or otherwise has in its possession. This Policy applies to all Personal Information collected, maintained, transmitted, stored, retained, or otherwise used by CBI regardless of the media on which that information is stored and whether relating to employees, customers, or any other person.

Individual regions, countries, states, provinces, or other governmental bodies may impose additional and/or more restrictive or proscriptive requirements. Those subject to this Policy who are operating in and subject to the laws of those jurisdictions will comply with applicable laws regarding privacy and data protection, and additional policies applicable to those departments or jurisdictions (or regions) may be implemented to manage that compliance.

3. ROLES AND RESPONSIBILITIES:
The Global Privacy Lead and the Information Security and Privacy Steering Committee review privacy-related policies, practices, and, upon request, training materials established by the departments.

The Information Security and Privacy Steering Committee is an internal, cross-functional governance committee, comprised of the Global Privacy Lead and the Chief Information Security Officer (“CISO”) in addition to the others listed in the Information Security and Privacy Steering Committee Charter.

4. DEFINITIONS:
Data Subject – The term “Data Subject” means the person about whom Personal Information is collected.

Personal Information – The term “Personal Information” means any information that identifies or can be used to identify or authenticate an individual. Examples of Personal Information include, but are not limited to:

  • Names;
  • Addresses;
  • Telephone numbers;
  • E-mail addresses;
  • Employee identification numbers;
  • IP addresses;
  • Device IDs;
  • Geolocation data;
  • User names, log-in names or handles;
  • Consumer purchase histories; or
  • Sensitive Personal Information

Sensitive Personal Information – The term “Sensitive Personal Information” means Personal Information that if lost, compromised, accessed, or improperly disclosed could result in harm, embarrassment, inconvenience, or unfairness to an individual and that therefore is subject to heightened protections under applicable laws or may be covered by applicable data breach notification laws or reporting requirements. Examples of Sensitive Personal Information include, but are not limited to:

  • An individual’s government-issued identification number, including a social security number (or foreign equivalent), driver’s license number, passport number, or state or tribe-issued identification number;
  • Financial account numbers, and credit or debit card numbers (with or without any required security code, access code, personal identification number or password that would permit access to an individual’s financial account);
  • Biometric (such as electronic fingerprint or retinal scans);
  • Medical, health, or health insurance information;
  • Account passwords or PINs (clear text or hashed) or responses to security questions;
  • Dates of birth (in conjunction with name or other identifying information);
  • eSignatures/digital signatures;
  • Genetic information;
  • Criminal history or background;
  • Race and ethnic origin;
  • Sexual life or orientation;
  • Religion;
  • Political affiliation or opinions;
  • Philosophical beliefs; or
  • Trade union membership.

In most jurisdictions, the law will provide for the types of information that are subject to heightened protection. If you have any questions about whether any Personal Information qualifies as Sensitive Personal Information, you should contact the Global Privacy Lead at privacy@cbrands.com.

5. GLOBAL PRIVACY POLICY PRINCIPLES: 

The following section provides the CBI Global Privacy Policy Principles: 

Transparency and Notice. Whenever you collect Personal Information on behalf of the Company for any purpose, including for human resources or employment purposes, you must inform the Data Subject of how you will use, process, disclose, protect, and retain that Personal Information by presenting a privacy policy or privacy notice to the Data Subject at or near the time the Data Subject provides the Personal Information. As much as possible, the privacy notice will be conspicuous and in plain and simple language. The Use of Employment Information Policy provides notice as to the collection, use, retention, sharing, and disposal of Personal Information provided to the Company for employment purposes. Additional notice may be required in some jurisdictions. 

Choice and Consent. You must describe the choices available to the Data Subject related to the collection and use of her/his Personal Information and, where necessary, obtain consent with respect to the collection, use, and disclosure of Personal Information. Where consent is necessary, the type of consent required (opt-in vs. opt-out) may depend on the nature of the Personal Information and the use of that information by the Company, as well as the jurisdiction in which the Company and/or the Data Subject are located. 

Collection. You must collect information only for the purposes described in the privacy policy or privacy notice and limit the collection to only the information required for those purposes. Prior to collection, you must review the applicable privacy policy or notice and verify that the types of Personal Information collected and the methods of collection, including the use of cookies or other tracking techniques, are documented and described in the privacy policy or notice.

Use, Purpose Limitation, Retention, and Disposal. You must limit the use of Personal Information to the purposes identified in the privacy policy or privacy notice, or for which the Data Subject has provided explicit consent, unless a law or regulation specifically requires otherwise.

You must retain Personal Information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately dispose of such information, as outlined in the Records Management Policy (translations of such policy in certain languages are also available on OpenBar). Personal Information no longer retained must be anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access.

Data Subject Rights. Data Subjects have rights when it comes to how their Personal Information is handled. These rights may vary depending on the applicable jurisdiction (both of the Company entity and of the Data Subject) and may include: (1) the right to know what Personal Information the Company maintains about the individual and/or with whom the Company has shared the Personal Information and for what purposes; (2) the right to access or correct the Personal Information; or (3) the right to delete the Personal Information. All requests or complaints from Data Subjects regarding the handling of Personal Information should be immediately forwarded to the Global Privacy Lead at privacy@cbrands.com, who will direct the response to the Data Subject.

Disclosure to Third-Parties. You may disclose Personal Information to third parties only for the purposes identified in the privacy policy or privacy notice, or with the explicit consent of the Data Subject, unless a law or regulation specifically requires or allows otherwise. Personal Information may only be disclosed to Third-Party Service Providers who have agreements with CBI to protect Personal Information in a manner consistent with the relevant aspects of CBI’s privacy policies or other specific instructions or requirements. For additional information, please see the Information Security and Privacy Vendor Management Policy available on OpenBar.

Security for Privacy. You must take appropriate steps to protect Personal Information against loss, unauthorized access (both physical (i.e., limit access to buildings, rooms, areas, and information technology assets) and logical (i.e., limit access to computer networks, system files, and data)) and unauthorized disclosure. You must exercise particular care in protecting Sensitive Personal Information from loss, unauthorized access, and unauthorized disclosure. CBI’s Information Security Policy and related standards and guidelines describe the measures to be taken to safeguard Personal Information.

Quality and Accuracy. You must maintain accurate, complete, and relevant Personal Information for the purposes identified in the privacy policy or privacy notice.

Any questions about the application of these Global Privacy Policy Principles should be directed to privacy@cbrands.com.

6. SECURITY INCIDENTS:
A “Security Incident” is any compromise of the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards the Company or a Third-Party Service Provider has put in place to protect Personal Information that results in or could result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.

If you know or suspect that a Security Incident has occurred, immediately notify the Crisis Coordinator via crisis@cbrands.com or 585-678-7926. The Crisis Coordinator will follow the Crisis Management Plan and the Information Security Incident Response Procedure. You should preserve all evidence relating to the potential Security Incident and not attempt to investigate the matter yourself unless otherwise directed by the Crisis Coordinator.

7. REQUIRED TRAINING:
All CBI personnel who have access to Personal Information must be aware of and trained on this Policy and the appropriate treatment of Personal Information.

8. RELATED POLICIES, STANDARDS AND PROCEDURES:

Document Revision Document Number Document Name
Use of Employment Information Policy
Records Management Policy
Information Security and Privacy Vendor Management Policy
Information Security Incident Response Procedure

9. APPROVED BY:
Tiffany De Liberty SVP, General Counsel & Corporate Compliance Officer

Revision Date Revised Reason Revised
R-1.0 May 30, 2018 Initial Approval
R-1.1 March 4, 2019 Revisions to align with GAPP framework and other internal policies and procedures

You must be of legal drinking age in your country to enter this site.

Please enter your date of birth below and press "Enter".

Are you years or older?

Crafters Union Wines supports the Century Councils fight against underage drinking and drunk driving. To learn more, visit their website at: www.centurycouncil.org

We will not share your information or post to your Facebook wall without your permission.

Please enjoy our wines responsibly. © 2019 Crafters Union Wines

Our Privacy Policy and Terms & Conditions have changed. By using this website, you agree to the Privacy Policy and Terms and Conditions of use.