Version: August 2021
Coca-Cola Beverages Africa Proprietary Limited (“CCBA”) is committed to protecting your privacy and ensuring that your personal information is collected and used appropriately, lawfully and transparently in compliance with the Protection of Personal Information Act No. 4 of 2013 (“Act”).
This Privacy Notice (“Notice”) explains how we obtain, process and disclose your personal information and aims to inform you of your rights and how to exercise them.
This Notice sets out:
CCBA is the eighth largest Coca-Cola bottling partner worldwide and the biggest on the African continent. CCBA serves 14 countries in Africa including The Republic of South Africa, the Kingdom of Eswatini, the Kingdom of Lesotho, the Republic of Ghana, the Republic of Kenya, the Federal Democratic Republic of Ethiopia, the Republic of Mozambique, the United Republic of Tanzania, the Republic of Uganda, the Republic of Namibia, the Department of Mayotte, the Union of the Comoros, the Republic of Botswana and the Republic of Zambia.
CCBA is a South African company with its registered address at Waterfront Business Park, Building 7, Pommern Street, Humerail, Port Elizabeth, 6001.
In this Notice, reference to CCBA shall include the following South African registered entities listed below:
For the purposes of South African data protection legislation (which is, in the main, the Act), CCBA is a “responsible party” in respect of your personal information. This means that CCBA is responsible for deciding how it holds and uses your personal information. This includes ensuring that CCBA uses your personal information in compliance with applicable data protection legislation in South Africa and in accordance with CCBA’s data protection policies, as amended from time to time.
“Personal information” includes information relating to an identifiable, living, natural person or an identifiable, existing juristic person. In essence, this is any information or data that can be used to identify you or that CCBA can link to you and which CCBA has in its possession and/or under its control. It does not include data where the identity has been removed (de-identified data).
There are also certain types of more sensitive personal information, referred to as “special personal information” in the Act, which requires a higher level of protection, such as information about a person’s health, sexual orientation or criminal convictions.
We will collect and process the following personal information:
Personal information may be processed by CCBA for the following reasons:
CCBA is entitled to use personal information in these ways because:
We will only use your personal information for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so, or, if required, seek your consent.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
CCBA may share your personal information with:
Where personal information is disclosed to third parties, we will take steps to ensure that such personal information is accessed only by those persons who need to do so for the purposes described in this Notice, and that appropriate security measures are in place to protect your personal information in line with our policies.
We do not allow our third-party service providers, contractors or agents to use your personal information for their own purposes; we only permit them to process your personal information for specified purposes and in accordance with our instructions.
We are legally obliged to provide adequate protection for the personal information we hold and to stop unauthorised access and use of personal information. We will, on an ongoing basis, continue to review security controls and related processes to ensure that your personal information is secure.
Security policies and procedures cover:
When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that the personal information we are responsible for, is kept secure.
We may transfer your personal information to another country for processing or storage. We will ensure that anyone to whom we pass your personal information to agrees to treat your information with the same level of protection as we are obliged to.
You have a number of legal rights in relation to the personal information that we hold about you.
These rights include:
You can exercise your rights by contacting CCBA, in writing, using the contact information set out below. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information, or to exercise any of your other rights.
You can find out more information about your rights by contacting the South African Information Regulator, whose contact details are:
http://www.justice.gov.za/inforeg/index.html
General enquiries: inforeg@justice.gov.za
Complaints: complaints.IR@justice.gov.za
Please note that we may amend this Notice from time to time. Please check our website periodically to inform yourself of any changes.
If you would like further information regarding this Notice, please address your questions, comments and/or requests to privacyoffice@ccbagroup.com for the attention of the Privacy Specialist, who is responsible for overseeing compliance with this Notice.
Version: 22 October 2021
Coca-Cola Beverages Africa (Pty) Ltd
(Registration Number 2016/050997/07)
Coca-Cola Beverages Africa (Pty) Ltd, its affiliates, controlled subsidiaries and entities in which it either owns a majority interest or manages operations (collectively referred to as “CCBA”) respects the privacy of its stakeholders and is committed to protecting it in accordance with the Protection of Personal Information Act No. 4 of 2013 (POPIA) and any other applicable data protection laws.
This Privacy Policy (“Policy”) sets out the minimum basis for CCBA and its Personnel with respect to the Processing of Personal Information and provides appropriate and consistent safeguards for the handling of Personal Information.
This Privacy Notice (“Notice”) explains how we obtain, process and disclose your personal information and aims to inform you of your rights and how to exercise them.
This Notice sets out:
CCBA for the purposes of carrying out its business and related objectives, does and will from time to time, process the Personal Information of living individuals and legal entities, including public and private entities, such as Personal Information relating to employees and staff, prospective employees and job applicants, students and interns, service providers and contractors, vendors, customers, and other third parties.
CCBA is obligated to comply with Applicable Data Protection Laws and the data protection conditions set out therein with respect to the processing of all and any Personal Information. This Policy describes how CCBA will discharge its duties to ensure continuing compliance with Applicable Data Protection Laws in general and the information protection conditions and rights of Data Subjects.
When used in this Policy,
3.1 CCBA, its Personnel and its Operators / Processors respect the privacy rights and interests of each Data Subject and adhere to the following data protection conditions when Processing Personal Information:
3.2 Any Personnel acting under the authority of CCBA, who has access to Personal Information, will not process Personal Information except on instructions from CCBA. Access to internal CCBA systems that contain Personal Information is limited to a select group of authorized CCBA Personnel who have a business need to access particular Personal Information. Personnel are given access to such systems through the use of a unique identifier and password and other access control mechanisms.
3.3 Personnel who require permanent or regular access to Personal Information are bound by non-disclosure and confidentiality agreements, instructions and policies intended to protect the confidentiality of Personal Information.
3.4 Appropriate training will be provided to Personnel who have permanent or regular access to Personal Information or who are involved in the Processing of Personal Information.
4.1 CCBA will Process Personal Information only in the following limited circumstances: • Where the Data Subject, or a competent person where the Data Subject is a child, consents to the Processing;
4.2 Processing operations falling under one of the points set out in section 4.1 above, notably include the following, and CCBA will use the Personal Information it collected about a Data Subject for the following purposes: • Providing products and services as requested by customers and consumers, including sending of marketing communications to Data Subjects;
4.3 When the Processing of Personal Information is based on the consent of the Data Subject, CCBA and its Personnel will obtain clear and explicit consent from the Data Subject.
4.4 For consent of minors, the requirements stipulated under section 16 below must be considered in addition.
4.5 CCBA will not process Sensitive Personal Information except where:
4.6 CCBA will collect and process the following types of Personal Information:
4.7 CCBA collects and processes Personal Information in the following ways:
5.1 CCBA has a designated information officer / data protection officer (“Information Officer / Data Protection Officer”). The Information Officer / Data Protection Officer can be reached at privacy@ccbagroup.com.
5.2 CCBA has registered the Information Officer / Data Protection Officer in accordance with Applicable Data Protection Laws.
6.1 CCBA and its Personnel will monitor and document CCBA’s compliance with this Policy and Applicable Data Protection Laws on an ongoing basis. CCBA and its Personnel will maintain and permanently update a data privacy framework to ensure and be able to demonstrate that Personal Information is Processed in accordance with the requirements of this Policy and Applicable Data Protection Laws.
6.2 CCBA and its Personnel are responsible for demonstrating that they have taken appropriate technical and organizational measures to ensure and able to demonstrate that Processing is performed in accordance with this Policy and the requirements of POPIA.
7.1 Where Personal Information is collected from a Data Subject, CCBA shall provide the Data Subject with all of the following information at the time when the Personal Information is obtained:
Purposes of the Processing for which the Personal Information is intended as well as the legal basis for the Processing;
Where the Processing is based on purposes of legitimate interests pursued by CCBA or by a third party, the legitimate interests pursued by CCBA or by the third party;
Recipients or categories of Recipients of the Personal Information, if any;
Where applicable, the fact that CCBA intends to transfer Personal Information to another country or international organisation, and the existence or absence of an adequacy decision by the relevant data protection authority, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
The existence of the right to request from CCBA access to and rectification or erasure of Personal Information or restriction of Processing concerning the Data Subject or to object to Processing;
Where the Processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal;
Any third parties that Personal Information is collected from;
Right to lodge a complaint with the relevant data protection authority; and
Whether the provision of Personal Information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Information and of the possible consequences of failure to provide such personal information.
7.2 When CCBA intends to further process Personal Information for a purpose other than that for which the Personal Information was collected, CCBA will and shall obtain consent from the Data Subject prior to that further Processing.
7.3 CCBA provides the information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information may be provided in writing or by electronic means, but in any case, without any media interruption.
8.1 CCBA and its Personnel will ensure that Data Subjects are able to exercise their rights with regard to the data Processing, including:
8.2 CCBA and its Personnel will provide any information and any communication relating to Processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The communication may be provided in writing or by electronic means.
8.3 CCBA and its Personnel will ensure that information or action taken on a request to the Data Subject will be provided without undue delay and in any event within 1 (one) month of receipt of the request. When CCBA and its Personnel do not take action on the request of a Data Subject, CCBA and its Personnel will inform the Data Subject without delay and at the latest within 1 (one) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
8.4 CCBA and its Personnel will communicate any rectification or erasure of Personal Information or restriction of Processing to each Recipient to whom the Personal Information has been disclosed, unless this proves impossible or involves disproportionate effort.
Reasonable steps will be taken to ensure the Personal Information is accurate and, where necessary, up to date. Furthermore, CCBA will take every reasonable step to ensure that Personal Information that is inaccurate, having regard to the purposes for which it is Processed, is erased or rectified, as applicable.
10.1 CCBA shall ensure that Personal Information will only be transferred internationally in compliance with the provisions of Applicable Data Protection Laws. Personal Information may be shared within CCBA around the world in accordance with Applicable Data Protection Laws and/or under one or more inter-company agreements which safeguard the integrity of the Personal Information and the privacy rights of the Data Subjects concerned.
10.2 CCBA shall ensure that the transfer of Personal Data internationally will be done in compliance with the provisions of Applicable Data Protection Laws, such as through cross-border data transfer agreements.
11.1 CCBA will retain Personal Information in a manner consistent with its legal obligations and consistent with its data retention policies and procedures.
11.2 CCBA shall ensure that Personal Information is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Information is Processed.
11.3 CCBA will securely erase Personal Information without undue delay when:
11.4 The principles set out under section 11.3 above will not apply when Processing is necessary for compliance with a legal obligation which requires CCBA to keep Personal Information.
12.1 CCBA will seek to build data protection principles, and in particular adherence to this Policy, into the design of all new (and of significant changes to existing) processes and systems involving the Processing of Personal Information.
13.1 CCBA will share Personal Information with selected Operators / Processors that deliver products and services.
13.2 CCBA will only work with Operators / Processors on the basis of written Operator agreements that set out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Information and categories of Data Subjects and the obligations and rights of CCBA. CCBA and its Personnel will ensure that Operators / Processors:
At the election of CCBA, delete or return all Personal Information to CCBA after the end of the provision of services relating to Processing, and that all existing copies are, and
Make available to CCBA, all information necessary to demonstrate compliance with the legal obligations and allow for and contribute to audits, including inspections, conducted by CCBA or another auditor mandated by CCBA.
13.3 CCBA will maintain and permanently update a list/record of all Operators / Processors.
13.4 CCBA and its Personnel will ensure that Operators / Processors do not engage other Operators / Processors without prior specific or general written authorization of CCBA.
14.1 CCBA will disclose Personal Information to third parties when at least one of the following applies:
15.1 CCBA and its Personnel will process Personal Information to conduct direct marketing when the Data Subject has provided his/her prior express consent and / or as otherwise authorized by Applicable Data Protection Laws.
16.1 CCBA will not allow the Processing of the Personal Information of a minor where the minor is below the age of 18 (eighteen) years.
16.2 CCBA and its Personnel will only process Personal Information of a minor if:
prior consent is obtained from a competent person (parent or legal guardian);
it is necessary for the establishment, exercise or defence of a right or obligation in law;
it is necessary to comply with an obligation of international public law.
17.1 CCBA has appointed an Information Officer / Data Protection Officer, who enforces compliance with this Policy.
17.2 CCBA and its Personnel are responsible for observing this Policy. Non-compliance with this Policy may result in disciplinary sanctions, dismissal, or any other type of sanction permitted by applicable law.
17.3 If at any time any person subject to this Policy believes that Personal Information is or have been Processed in violation of this Policy, he/she must report the concern to the CCBA Information Officer / Data Protection Officer by e-mail at privacy@ccbagroup.com.
17.4 If any Personnel believes that he/she is not able to comply with this Policy because of legal requirements or instructions given to him/her, he/she should immediately report that information to the Privacy Office. The CCBA Privacy Office, in cooperation with other appropriate Personnel, will take necessary and appropriate steps and provide additional relevant guidance.
18.1 CCBA and its Personnel will take appropriate and commercially reasonable technical and organizational measures to protect Personal Information against unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage, and ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
18.2 CCBA is obliged to implement technical and organizational security measures for Processing of any Personal Information.
18.3 Technical measures are those that directly involve the IT system. Organizational measures, on the other hand, relate to the system’s environment and particularly to the Personnel using it.
19.1 If at any time Personnel become aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information or believes that Personal Information is or has been Processed in violation of this Policy, he/she should immediately report the concern to the CCBA Information Officer / Data Protection Officer by e-mail at privacy@ccbagroup.com.
19.2 CCBA will inform affected Data Subjects without undue delay of any such breach of security which is likely to result in a high risk to their privacy, providing them with appropriate information about the breach, including all information required under Applicable Data Protection Laws.
19.3 In the case of a Personal Information breach affecting Data Subjects, CCBA will without undue delay after having become aware of it, notify the Personal Information breach to the relevant data protection authority.
20.1 CCBA and, where applicable, its representatives, will cooperate, on request, with the relevant data protection authority in the performance of its tasks. CCBA commits to cooperate with the relevant data protection authority to address any complaints and comply with the advice or orders given by the relevant data protection authority.
20.2 CCBA will respond diligently and appropriately to inquiries from the relevant data protection authority.
20.3 All inquiries relating to this Policy should be directed to the Privacy Office and the Information Officer / Data Protection Officer: privacy@ccbagroup.com.
21.1 This Policy will come into effect on 1 July 2021. This Policy will be published on the CCBA website. CCBA is committed to communicating this Policy to and how it may be accessed by all current and new Personnel. Each CCBA Personnel is obliged to take notice and review this Policy including any amendments of this Policy in future.
21.2 CCBA reserves the right to modify this Policy as needed, for example, to comply with changes in laws, regulations, CCBA practices and procedures, or requirements imposed by relevant data protection authorities. CCBA will post all changes to this Policy on relevant websites.
Visit our contact page.
Version: 21 October 2021