Personal Data Protection Policy

Purpose of the personal data protection policy

In summary: This document summarises all the commitments made by Les Domaines Barons de
Rothschild (Lafite) with regard to the protection of Personal Data.

Data controller. Les Domaines Barons de Rothschild (Lafite) (hereinafter, “DBR”) is required to
collect and use data to identify or make identifiable its staff, customers, prospects, suppliers, service
providers and partners, as well as Internet users browsing the website(s) that it publishes (hereinafter,
the “Personal Data” or “Data”)

Data processed. Under these conditions, DBR processes certain categories of Personal Data such
as economic data, identification data, professional data, data relating to aspects of personal lives,
and certain data relating to allergens and food preferences.

DBR attaches particular importance to the transparency of its practices, in particular with regard to
compliance with Data Subjects’ rights in relation to their Personal Data.

Clarifications. The purpose of this Policy is to summarise DBR’s commitments concerning
compliance with the principles set out in the Regulations applicable to Personal Data Processing in
a concise, transparent, comprehensible and easily accessible format, in particular with regard to:

  • the implementation of lawful Processing,
  • compliance with Data Subjects’ rights,
  • any transfers to a country outside the European Union,
  • the recipients of the Personal Data collected,
  • the retention period of the Personal Data collected,
  • the security measures applied to protect Personal Data.

Accessibility. This Policy includes any information necessary to ensure the implementation of fair
and transparent Processing, taking into account the particular circumstances and context in which
the Personal Data is processed. It is subject to publication and publicly accessible to any person
requesting it.

Updates. DBR updates this Policy to comply with any changes in the Regulations, and as necessary.
Our Policy is reviewed at least every three years.

Questions. If you have any questions about this Policy and DBR’s Personal Data Protection
practices, please contact us directly using the following contact details:

Les Domaines Barons de Rothschild (Lafite)
Service juridique
40 – 50 Cours du Médoc
BORDEAUX 33300, FRANCE
rgpd@lafite.com

Identification of the controlle

In summary: DBR is the Controller of the Personal Data it collects and uses in the course of its
activity.

Personal Data are collected and processed by Les Domaines Barons de Rothschild (Lafite), the full
contact details of which are provided below. DBR is therefore the Controller within the meaning of
the General Data Protection Regulation (or “GDPR”), insofar as it determines the Means and
purposes of the Processing.

  • Organisation name: Les Domaines Barons de Rothschild (Lafite)
  • Legal form: Partnership Limited by Shares
  • Address: 40 – 50 Cours du Médoc, 33 300 Bordeaux,
  • TRADE AND COMPANIES: 308 382 928 (Bordeaux)
  • Share capital: €12,148,320
  • Email contact: rgpd@lafite.com

Lawfulness of the data processing implemented by DBR

In summary: DBR ensures that the Personal Data Processing it implements is lawful.

Legal bases. Each of the Processing actions implemented by DBR is grounded in one of the legal
bases provided for by the GDPR. The choice of each legal basis is documented and noted in DBR’s
Processing activities register.

Clarifications. DBR’s Processing is thus based, as the case may be:

  • on the consent of the Data Subject,
  • on the contract, when the Processing is necessary for the preparation or performance of a
    contract entered into with the Data Subject
  • on a legal obligation, when the Processing is imposed by any Regulation applicable to it,
  • on legitimate interest, when the Processing is necessary for the pursuit of DBR’s legitimate
    interests, in strict compliance with the rights and interests of the Data Subjects whose
    Personal Data are processed.

Compliance with the principles applicable to data processing implemented by DBR

In summary: DBR undertakes to comply with the principles imposed by the Regulations applicable
to the Processing of Personal Data, in particular those set out in Article 5 of the GDPR.

Purpose. DBR undertakes first of all to process Personal Data only for specified, precise, explicit
and legitimate objectives (or Purposes). With this in mind, the purpose of DBR’s Processing is aimed
at:

  • human resources management,
  • site access management,
  • customer relationship management,
  • managing its information system,
  • managing relations with its suppliers and service providers,
  • managing its communication and marketing actions,
  • managing the accounting and legal affairs of the group to which it belongs,
  • managing its website.

Data minimisation. DBR undertakes to process only Personal Data that is relevant and strictly
necessary with regard to the Purpose of each Processing action that it implements.

Storage limitation. DBR undertakes to process only Personal Data that is relevant and strictly
necessary with regard to the Purpose of each Processing action that it implements. As such, DBR
has adopted a retention period policy whereby the appropriate retention period is assigned to each
item of Personal Data according to its characteristics and the Purpose for which it was collected.
Once these retention periods have expired, DBR deletes or anonymizes the data in question.

Data security and confidentiality. As Controller, DBR is responsible for the security of the Personal
Data it uses. It therefore ensures that only authorised persons have access to this information.

Accuracy. DBR endeavours to process only accurate and up-to-date Personal Data. DBR takes all
reasonable steps to ensure that Personal Data that are inaccurate, with regard to the Purposes for
which they are processed, are erased or corrected immediately.


Loyalty and transparency. DBR shall inform each Data Subject of the conditions under which their
Personal Data are Processed, at latest at the time of its collection. Generally, this information is
provided in writing in a concise, transparent, understandable and easily accessible manner, using
clear and simple terms, via the following collection forms and dedicated notifications:

  • Employee notification,
  • Customer notification
  • Service provider and subcontractor clauses and notifications,
  • Internet users notification.

No automated decision-making. The Processing implemented by DBR does not provide for
automated decision-making.

Détails of the security measures implemented by DBR

In summary: DBR undertakes to ensure the security of the Personal Data it uses.

Commitments. In accordance with the principle of security, DBR implements appropriate technical
and organisational measures to ensure a level of security that is suited to the risk and nature of the
Personal Data processed. As such, DBR takes into account the state of current knowledge, the costs
of implementation and the nature, scope, context and Purposes of the Processing, as well as the
risks to the rights and freedoms of the Data Subjects, the likelihood and severity of which may vary.

Physical Security. With this in mind, DBR first of all ensures the physical security of Personal Data,
in particular by strictly minimizing individuals’ access to the storage sites and servers located on its
premises.

IT security. DBR implements a range of IT security measures to:

  • guarantee the confidentiality of the Data (encryption, strong authentication, the use of a VPN for remote logins, log keeping and access limitation),
  • restore the availability of Personal Data in the event of an incident.

GISSP. Lastly, DBR has adopted an information general systems (IS) security policy (or “GISSP”).
DBR’s GISSP reflects management’s strategic vision for IS security and risk management. It
describes the strategic elements (issues, baseline, main security needs and threats) as well as the
security rules applicable to the protection of the DBR IS.

Personal Data Breaches. DBR has a procedure in place for notifying the French Data Protection
Authority (CNIL) of Personal Data breaches within seventy-two (72) hours, including the information
required under the Regulations. When the Personal Data breach is likely to result in a high risk to the
rights and freedoms of the Data Subjects, this same procedure provides for detailed information to
be communicated to the Data Subjects as soon as possible.

Recipients of precessed personal data

In summary: The persons and organisations having access to the Personal Data processed by
DBR are identified and undertake in particular to respect Data Subjects’ rights via specific
contractual commitments.

Staff. Personal Data is mainly used by dedicated DBR staff who need to access it in the course of
their duties. Again, the departments concerned are identified in the DBR registers.

Third Parties. DBR also identifies all the organisations to which it communicates Personal Data, for
example its subcontractors, service providers and partners. The identification of third parties is
documented in a dedicated register, which is regularly updated when DBR makes any changes to its
Processing.

Transfer of personal data to a country outside the european union

In summary: In principle, DBR does not transfer the Personal Data it processes outside the
European Union. If DBR is required to perform such a transfer, it shall do so in accordance with the
applicable Regulations.

DBR pays particular attention to the issue of transferring Personal Data outside the European Union
(EU) or the European Economic Area (EEA).

Adequacy. DBR thus takes all necessary measures to avoid said transfers as far as possible, and,
when such avoidance is not possible, to comply with the Regulations to ensure that the Data Subjects’
level of protection guaranteed under these same Regulations is not compromised.

Clarifications. DBR therefore only transfers Personal Data outside the EEA or the EU having first
ensured that the level of Data protection is sufficient and appropriate, and having utilised the legal
tools defined in Chapter V of the GDPR (adequacy decision, standard contractual clauses, binding
corporate rules, explicit consent).

The absence of adequacy regulations. For third parties located in a country that does not have
adequacy regulations in place, DBR ensures that they undertake to take the necessary measures to
respect Data Subjects’ rights over their Data, in particular via standard contractual clauses and
additional security measures (e.g. encryption).

Register. DBR identifies all transfers of Personal Data that it carries out in a dedicated register, which
it updates on a regular basis.

Respect for data subject’s rights regarding their data

In summary. DBR has the necessary procedures in place to ensure that Data Subjects’ rights
regarding their Personal Data are respected.

Data Subjects’ Rights. In accordance with the Regulations, Data Subjects may exercise the
following rights, directly with DBR, when DBR processes their Personal Data

  • Right of access. Each Data Subject has the right to access their Data at any time, as well as to ask DBR why it is using said data.
  • Right to rectification. Each Data Subject has the right to request the correction of any of their Data that proves to be inaccurate.
  • Right to object or to erasure. The Data Subject may also object to the collection and Processing of their Data at any time, or request its erasure, provided that its retention by
    DBR is no longer necessary.
  • Right of restrict processing. The Data Subject may likewise object to the collection
    and Processing of their Personal Data, at any time, for reasons relating to their particular
    situation, except when this Processing is necessary for the performance of the contract
    or for DBR’s compliance with a legal obligation.
  • Right to withdraw consent. Each Data Subject may withdraw their consent to the
    Processing of their Data at any time.

    Right to data portability. Data Subjects may exercise their right to data portability (i.e.
    to obtain their Data in a structured format that can be read in an IT environment) for Data
    provided directly to DBR based on the Data Subject’s consent or pursuant to a contract
    entered into with DBR, and which are subject to Automated Processing.
  • Post-mortem instructions. Any Data Subject has the right to issue instructions concerning the retention, erasure and communication of their Data after their death.
  • Complaints. Any Data Subject has the right to lodge a complaint with a supervisory authority if they consider that DBR has not respected their rights. For example, if the
    Data Subject resides in France, they may lodge their complaint with the French Data
    Protection Authority (link: https://www.cnil.fr/fr/adresser-une-plainte).
  • Data Subjects can find more information about their rights by visiting the French Data
    Protection Authority (CNIL) website (https://www.cnil.fr/fr/les-droits-pour-maitriser-vosdonnees-personnelles) or with any other supervisory authority in their country of
    residence.

Exercise of rights. DBR has a procedure in place to facilitate the exercise of Data Subjects’ rights,
including the following procedures as a basic minimum, in accordance with Article 12 of the GDPR:

  • identification/authentication of the Data Subject exercising their rights,
  • measures that ensure they can comply with response times.

Contact details. The rights referred to above may be exercised by email or by post using the
following contact details. In the event of legitimate doubt, and for security reasons, DBR reserves the
right to request a copy of an identity document bearing an unalterable watermark.

Les Domaines Barons de Rothschild (Lafite)
Service juridique
40 – 50 Cours du Médoc
BORDEAUX 33300, FRANCE
rgpd@lafite.com

Glossary of terms uses in this policy

In summary: Below are the published definitions for the capitalised terms used by DBR in this
Policy. These definitions are reproduced with reference to Article 4 of the GDPR.

“Data” or “Personal Data”. Means any information relating to an identified or identifiable natural
person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person.

“Purpose”. Refers to the organisation’s objective during the Data Processing. The Purpose must be
specific, explicit and legitimate.

“Regulations”. Refers to all the Regulations applicable to the Processing by DBR of Personal Data,
in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016, on the protection of natural persons with regard to the Processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
French Law no. 78-17 of 6 January 1978 on data privacy; as well as all national and international
standards in force in the field of electronic communications, such as, for example, Directive
2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the Processing of
personal data and privacy protection in the electronic communications sector (directive on privacy
and electronic communications).

“Controller”. Means the natural or legal person, public authority, agency or other body which, alone
or jointly with others, determines the Purposes and means of the Processing.

“Processing”. Means any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction.

Personal Data Protection Policy Lafite website

Back to the top of page
Meet the family...
Unfortunately you cannot enter this website as you are not of legal drinking and purchasing age.