Last updated: 21 August 2023
Who we are
- What types of personal data we collect;
- How we collect personal data;
- When and why we share it with other organisations, including the types of organisations involved;
- How long we keep personal data for; and
- The rights and choices you have with regards to your personal data.
We have separate privacy policies relating to Edrington’s current and prospective employees which can be reviewed at the bottom of this page, with variations reflecting local data protection law requirements that are available separately.
What types of personal data do we collect?
- Your name, age/date of birth (for age verification purposes) and location;
- Your contact details: postal addresses, including billing and delivery addresses, contact telephone numbers;
- Details of purchases and orders made by you or gifts/experiences made by or to you;
- When you make a purchase or place an order with us, your payment card details;
- Your correspondence and communications with Edrington;
- Personal data which you may have shared via a public platform (such as on Edrington’s Facebook or Instagram feed);
- Your communication and marketing preferences;
- Your interests, preferences, feedback and survey responses;
- Online browsing activities on Edrington’s website, IP address, mobile device ID, any login data, browser type and other technology you use to access this website.
How do we collect your personal data?
We collect your personal data when:
- You subscribe to receive news from Edrington or its brands;
- You make an online purchase or place an order online for an Edrington brand or merchandise;
- You enter a ballot or competition related to Edrington or one of Edrington’s brands;
- You attend one of our events or visit one of our sites;
- You store a cask in our warehouses;
- You give or receive any gifts or entertainment;
- You contact us, for whatever reason.
How do we use your personal data?
Edrington (and trusted partners acting on our behalf) use your personal data:
- With your agreement, to provide you with information, products or services that you request from us, or which we feel may interest you. This is only done when you’ve given your consent to be contacted by us, or where we are permitted to contact you in accordance with data protection law (such as where you have not opted out of receiving such information from us at the time of making a purchase from us);
- We may send you personalised communications based on your preferences, and use of Edrington’s products;
- To verify your identity and your age;
- For crime and fraud prevention, detection and related purposes;
- To enable Edrington to manage any customer service interactions with you;
- To carry out our obligations arising from any contracts entered into between you and us;
- To comply with our obligations under bribery legislation by recording all gifts and guests at events on our internal registers;
- To ensure that our web content is presented in the most efficient way for you and your computer;
- To allow you to participate in interactive features on our website, when you choose to do so; and
- Where we have a legal right or duty to use or disclose your information (for example in relation to an investigation by a public authority or in a legal dispute).
What is our legal reason for holding personal data?
Data protection laws require us to state our legal reason for processing your personal data.
Where we have requested your consent, Edrington’s brands rely on your consent to send you marketing communications. We may also send you marketing communications about Edrington’s brands where you have requested information from us or made a purchase and you have not opted out of receiving such communications.
You can withdraw your consent to receive these communications at any time by using the unsubscribe button included in the communications sent to you or by contacting us at [email protected]. Where you opt out of receiving marketing communications, this will not remove any personal data provided to us as a result of a purchase that you have made.
Edrington also collects and uses your personal data because it is necessary for:
- the pursuit of our legitimate interests (as set out below);
- the purposes of complying with our duties and exercising our rights under a contract for the sale of goods to a consumer; or
- complying with our legal and regulatory obligations.
Our legitimate interests
The normal legal basis for processing personal data, is that it is necessary for the legitimate interests of Edrington, or its subsidiary brand-owning companies, including:
- selling and supplying goods and providing services to our customers and consumers;
- protecting consumers, employees and other individuals and maintaining their safety, health and welfare;
- promoting, marketing and advertising our products, services, events, experiences and brand partnerships;
- understanding our consumers’ behaviour, activities, preferences, and needs;
- improving existing products and developing new products;
- protecting the Edrington brands;
- handling consumer and customer contacts, queries, complaints, or disputes; and
- preventing, investigating and detecting crime, fraud, or anti-social behaviour and prosecuting offenders.
Where we process your personal data in pursuit of our legitimate interests, you have the right to object to us using your personal data for the above purposes. If you wish to object to any of the above processing, please contact us at [email protected]. If we agree and comply with your objection, this may affect our ability to undertake the tasks above for your benefit.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you require any further information on how the processing for the new purpose is compatible with the original purpose, please contact us using the details below.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
What are your rights?
You have a number of rights under the data protection laws in relation to the way we process your personal data, namely:
- to access your personal data (commonly known as a "data subject access request") – this enables you to receive access the personal data we hold about you and to receive confirmation of how we are processing it;
- to have your personal data rectified if it is inaccurate or incomplete – this enables you to have any incomplete or inaccurate personal data we hold about you corrected, though we may need to verify the accuracy of the new personal data you provide to us;
- in certain circumstances, to have your personal data deleted or removed – this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your personal data unlawfully or where we are required to erase your personal data to comply with local law. Please note however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;
- in certain circumstances, to restrict the processing of your personal data – this enables you to ask us to suspend the processing of your personal data in the following scenarios:
- if you want us to establish the personal data's accuracy;
- where our use of the personal data is unlawful but you don’t want us to erase it;
- where you need us to hold the personal data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your personal data (see below) but we need to verify whether we have overriding legitimate grounds to use it,
- a right of data portability, namely to obtain and reuse your personal data for your own purposes across different services. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to personal data which you initially provided consent for us to use or where we used the personal data to perform a contract with you;
- to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data which override your rights and freedoms;
- not to be subject to automated decision-making (including profiling), where it produces a legal effect or a similarly significant effect on you;
- to withdraw your consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent; and
- to claim compensation for damages caused by a breach of the data protection laws.
If you wish to exercise any of these rights, please contact [email protected].
Who do we share your personal data with?
To effectively fulfil our obligations to you, and to provide you with certain benefits, we use a number of trusted and reliable third parties to carry out functions which involve the processing of your personal data. These include:
- vendors who will process your personal data on our behalf and under our written instructions to carry out their services during the course of our business, such as IT, delivery and marketing service providers, financial institutions, customer relationship management vendors and other cloud-based solutions providers that are used by us in the conduct of our business. We contract with such vendors to ensure that they only process your personal data under our instructions and ensure the security and confidentiality of your personal data by implementing the appropriate technical and organisational measures for such processing;
- when you order products from any of our brand’s online shops, your details will be shared with our fulfilment partner, who will process your orders;
- we use marketing service providers to administer services on our behalf, such as sending communications to our consumers, administering any promotions or ballots which we run;
- other agencies and fulfilment partners to administer events, competitions and brand programmes that you have opted into;
- we may use tracing agents to locate owners of casks stored in our warehouses where the owners have not responded to communications from Edrington;
- our professional advisers (e.g. lawyers, accountants and bankers);
- other entities in the Edrington group of companies; and
- Edrington’s third-party distributors, joint venture partners or airport boutique operators.
We may provide information to others (such as governmental or law enforcement agencies) in the good faith belief that such action is necessary to: (i) enforce or apply terms and conditions; (ii) comply with any legal claims raised against Edrington; (iii) protect the rights, property or safety of Edrington; or (iv) protect the rights, property or safety of the public.
In accordance with applicable law, if Edrington becomes involved in a merger, acquisition, bankruptcy, or other transaction involving the sale of some or all of our assets, user information, including personal information collected from you through your use of our Website, could be included in the transferred assets. Should such an event occur, we will use reasonable means to notify you, either through email and/or a prominent notice on the Website.
Where we store your personal data
We may transfer your personal data outside of the United Kingdom. This is primarily to allow us to:
- receive consultancy, marketing and IT services (e.g. cloud storage services, database development and management services, email/webmail services and customer relationship management services) from vendors located in other jurisdictions, such as the United States and Australia; and
- provide special invitations, products, services, experiences and other benefits to you, from other Edrington group companies, or selected third party distributors, joint venture partners, or airport boutique operators.
Where your personal data is transferred outside of the United Kingdom, we will ensure your personal data is afforded an adequate level of data protections (as required by data protection laws), including:
- by transferring the data to a country that the United Kingdom authority has deemed as providing an adequate level of data protection (an "adequacy decision");
- by implementing an appropriate international transfer mechanism under data protection law, such as standard contractual clauses or a data transfer agreement / addendum approved for this purpose by the United Kingdom authority;
- by relying on a "transfer derogation" under data protection law (e.g. where the transfer is based on your explicit consent, or is necessary to perform a contract with you); or
- where we are otherwise permitted to make the transfer under data protection law.
Please contact us if you would like further information on the specific mechanism used by us when transferring your personal data out of the United Kingdom.
How long do we keep your personal data?
How do we protect your personal data?
Edrington is committed to keeping your personal data safe and secure. To prevent unauthorised access, maintain data accuracy and ensure the correct usage of personal data, we monitor and adjust our physical, electronic and managerial procedures to safeguard and secure the personal data we collect online.
If you have any questions or concerns about the way in which your personal data is processed, please contact [email protected].
You have the right to complain about data protection matters to the Information Commissioner’s Office (ICO).
The ICO is the UK's independent body set up to uphold information rights. You can find out more about the ICO on its website (https://ico.org.uk/). The ICO can be contacted by calling 0303 123 1113.
This policy may change from time to time. If we change anything important we will notify or contact you.