Privacy Centre

Version: August 2021

CCBA Privacy Notice

Coca-Cola Beverages Africa Proprietary Limited (“CCBA”) is committed to protecting your privacy and ensuring that your personal information is collected and used appropriately, lawfully and transparently in compliance with the Protection of Personal Information Act No. 4 of 2013 (“Act”). 

 

This Privacy Notice (“Notice”) explains how we obtain, process and disclose your personal information and aims to inform you of your rights and how to exercise them. 

 

This Notice sets out: 

  • Who we are 
  • What personal information we collect 
  • How we use your personal information 
  • To whom we may disclose your personal information 
  • How we safeguard your personal information 
  • Your rights in relation to personal information 
  • Changes to this Notice 
  • How to contact us 

Who we are

CCBA is the eighth largest Coca-Cola bottling partner worldwide and the biggest on the African continent. CCBA serves 14 countries in Africa including The Republic of South Africa, the Kingdom of Eswatini, the Kingdom of Lesotho, the Republic of Ghana, the Republic of Kenya, the Federal Democratic Republic of Ethiopia, the Republic of Mozambique, the United Republic of Tanzania, the Republic of Uganda, the Republic of Namibia, the Department of Mayotte, the Union of the Comoros, the Republic of Botswana and the Republic of Zambia. 

 

CCBA is a South African company with its registered address at Waterfront Business Park, Building 7, Pommern Street, Humerail, Port Elizabeth, 6001. 

 

In this Notice, reference to CCBA shall include the following South African registered entities listed below: 

  • Coca-Cola Beverages South Africa (Pty) Ltd (Registration Number 2015/027638/07);
  • Appletiser South Africa (Pty) Ltd (Registration Number 1956/002074/07); and 
  • Coca-Cola Sabco (Pty) Ltd (Registration Number 1995/010764/07).

 

For the purposes of South African data protection legislation (which is, in the main, the Act), CCBA is a “responsible party” in respect of your personal information. This means that CCBA is responsible for deciding how it holds and uses your personal information. This includes ensuring that CCBA uses your personal information in compliance with applicable data protection legislation in South Africa and in accordance with CCBA’s data protection policies, as amended from time to time. 

What personal information we collect

“Personal information” includes information relating to an identifiable, living, natural person or an identifiable, existing juristic person. In essence, this is any information or data that can be used to identify you or that CCBA can link to you and which CCBA has in its possession and/or under its control. It does not include data where the identity has been removed (de-identified data).

 

There are also certain types of more sensitive personal information, referred to as “special personal information” in the Act, which requires a higher level of protection, such as information about a person’s health, sexual orientation or criminal convictions. 

 

We will collect and process the following personal information: 

  • Information that you or someone acting on your behalf provides to us. This includes information about you that is given to us by filling in forms or by communicating with us, whether face-to-face, by phone, e-mail or otherwise. 
  • Information that we collect or generate about you. We will also collect information about you when you purchase our products or when we otherwise interact or correspond with you. 
  • If you are a customer, this information may include: o Information about you, your transactions, financial information and relationship to others; 
    – Data that we collect about your use of CCBA’s IT systems; 
    – Information for tax reporting (e.g. VAT); 
    – Information which is required for us to comply with our legal or regulatory obligations; 
    – Recordings of telephone calls between you and us – if we have a specific legal basis or are legally required to record telephone conversations; and
    Information which we obtain from other sources: if we collect or receive your personal information in the context of the sale of products, we might receive information from third parties, other parties relevant to the products we are providing and others such as regulators and/or other authorities. This information could include your name, contact details, and other information relevant to the products that we are selling to our customers. 
  • CCBA uses various technologies to collect and store information when you visit the CCBA website. We may, for example, collect information about the type of device you use to access our website, your IP address and your geographic location, the operating system and version, your browser type, the content you view and features you access on the website, the web pages and the search terms you enter in our website. For information about how CCBA uses Cookies and the choices you may have, you can access CCBA’s Cookies Policy on our website, www.ccbagroup.com. 
  • Information captured on security systems, including closed circuit television (“CCTV”). 

How we use your personal information

Personal information may be processed by CCBA for the following reasons: 

  • To perform a contractual obligation in terms of a contract we have in place with you or a third-party to whom you are connected (including performing our obligations and exercising our rights); 
  • To provide products and services as requested by customers and consumers, including sending of marketing communications; 
  • To allow you to register and participate in promotions, special offers, loyalty programs, prize draws etc.; 
  • To perform data analytics to derive trends and improve CCBA’s products and services; 
  • To concluding contracts and business transactions; 
  • To confirming, verifying and updating your details; 
  • To communicate with you in connection with your relationship with us and the products we provide to you; 
  • To notify you about any changes to our products and/or services; 
  • To conduct reference checks and/or conduct credit reference searches or verifications; 
  • To protecting safety, security, rights and freedoms of CCBA, its customers, consumers, business partners, and personnel; 
  • To detect and prevent fraud, crime, money laundering or other malpractice; 
  • To comply with legal requirements; 
  • To carry out processing in the context of the use of cookies and similar technologies; 
  • To investigate any complaints or queries you or a third-party to whom you are connected may have. 

 

CCBA is entitled to use personal information in these ways because: 

  • Consent – we may process your personal information by obtaining your consent, when required. You can withdraw your consent by contacting us (see our contact information below); 
  • Contract – we may need to process your personal information to enter into a contract with you, or to perform our obligations under a contract with you; 
  • Legitimate interest – we may process your personal information for your or our legitimate interest/s; 
  • Compliance with law – we may process your personal information as is necessary for compliance with a legal obligation arising under the law to which CCBA is subject; or 
  • Public and vital interest – we may process your personal information where it is necessary in order to protect your vital interests or for the performance of a task carried out in the public’s interest.

 

We will only use your personal information for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so, or, if required, seek your consent. 

 

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. 

To whom we may disclose your personal information

CCBA may share your personal information with: 

  • Third parties contracted or mandated by CCBA, including service providers, contractors or agents, for the purposes listed above, for example sales and distribution partners, credit reference and fraud prevention agencies and outlet surveyors; 
  • Relevant authorities, to the extent required by law, regulation or court order, for example CCBA is under a duty to disclose personal information in order to comply with any legal or regulatory obligation; and 
  • Advisors and legal counsel in order to establish, exercise or defend CCBA’s rights, for example if CCBA needs to obtain external legal advice or provide personal information in connection with judicial proceedings. 

 

Where personal information is disclosed to third parties, we will take steps to ensure that such personal information is accessed only by those persons who need to do so for the purposes described in this Notice, and that appropriate security measures are in place to protect your personal information in line with our policies. 

 

We do not allow our third-party service providers, contractors or agents to use your personal information for their own purposes; we only permit them to process your personal information for specified purposes and in accordance with our instructions. 

How we safeguard your personal information

We are legally obliged to provide adequate protection for the personal information we hold and to stop unauthorised access and use of personal information. We will, on an ongoing basis, continue to review security controls and related processes to ensure that your personal information is secure.

Security policies and procedures cover: 

  • Physical security; 
  • Computer and network security; 
  • Access to personal information; 
  • Secure communications; 
  • Security in contracting out activities or functions; 
  • Retention and disposal of information; 
  • Acceptable usage of personal information; 
  • Governance and regulatory issues; 
  • Monitoring access and usage of personal information; and 
  • Investigating and reacting to security incidents. 

 

When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that the personal information we are responsible for, is kept secure. 

We may transfer your personal information to another country for processing or storage. We will ensure that anyone to whom we pass your personal information to agrees to treat your information with the same level of protection as we are obliged to. 

Your rights in relation to personal information

You have a number of legal rights in relation to the personal information that we hold about you. 

 

These rights include: 

  • The right to access the personal information that we hold about you. Please note that any such access request may be subject to a payment of a legally allowable fee and we will let you know what it is at the time of your request; 
  • The right to request that we rectify any of your personal information that we process in accordance with this Notice. The personal information that you may request us to rectify is personal information that is inaccurate, irrelevant, excessive, out of date, incomplete or misleading, or which was obtained unlawfully, or that we are no longer authorised to retain; 
  • The right to request that we destroy or delete any of your personal information that we have processed in accordance with this Notice. Please note that there may be circumstances where you ask us to erase your personal information but CCBA is legally entitled or obliged to retain it and we are therefore entitled to refuse your request; 
  • The right to object on reasonable grounds, and the right to request that we restrict our processing of your personal information relating to your particular situation, unless the processing is required by law. Again, there may be circumstances where you object to, or ask us restrict our processing of your personal information but CCBA is legally entitled or obliged to continue processing your personal information and is therefore entitled to refuse your request. However, you may raise an objection if you are of the view that the processing of your personal information is not necessary to pursue your or our legitimate interests; and 
  • The right to lodge a complaint with the Information Regulator in South Africa if you think that any of your rights have been infringed by us. 

 

You can exercise your rights by contacting CCBA, in writing, using the contact information set out below. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information, or to exercise any of your other rights. 

 

You can find out more information about your rights by contacting the South African Information Regulator, whose contact details are: 

http://www.justice.gov.za/inforeg/index.html 

General enquiries: inforeg@justice.gov.za 

Complaints: complaints.IR@justice.gov.za 

Changes to this Notice

Please note that we may amend this Notice from time to time. Please check our website periodically to inform yourself of any changes. 

How to contact us

If you would like further information regarding this Notice, please address your questions, comments and/or requests to privacyoffice@ccbagroup.com for the attention of the Privacy Specialist, who is responsible for overseeing compliance with this Notice. 

Version: 22 October 2021

CCBA Privacy Policy

Coca-Cola Beverages Africa (Pty) Ltd 

(Registration Number 2016/050997/07) 

 

Coca-Cola Beverages Africa (Pty) Ltd, its affiliates, controlled subsidiaries and entities in which it either owns a majority interest or manages operations (collectively referred to as “CCBA”) respects the privacy of its stakeholders and is committed to protecting it in accordance with the Protection of Personal Information Act No. 4 of 2013 (POPIA) and any other applicable data protection laws.

This Privacy Policy (“Policy”) sets out the minimum basis for CCBA and its Personnel with respect to the Processing of Personal Information and provides appropriate and consistent safeguards for the handling of Personal Information.

 

This Privacy Notice (“Notice”) explains how we obtain, process and disclose your personal information and aims to inform you of your rights and how to exercise them.

 

This Notice sets out:

  • Who we are
  • What personal information we collect
  • How we use your personal information
  • To whom we may disclose your personal information
  • How we safeguard your personal information
  • Your rights in relation to personal information
  • Changes to this Notice
  • How to contact us

Contents

  1. Introduction
  2. Key Terms and Definitions
  3. Basic Principles Of Data Processing
  4. Purpose of Data Processing and Justification Basis
  5. Information Officer / Data Protection Officer
  6. Accountability
  7. Information Obligations
  8. Rights of the Data Subject
  9. Accuracy of Data
  10. Transfer of Personal Information Internationally
  11. Storage and Erasure of Personal Information
  12. Data Protection By Design and Default
  13. Operators Processors
  14. Recipients
  15. Direct Marketing
  16. Children
  17. Complaint Handling/Enforcement Process
  18. Data Security
  19. Data protection Breaches and Security Incidents
  20. Obligations Towards Data Protection Authority
  21. Implementation of and Modifications to this Policy
  22. Contact Us

1. Introduction

CCBA for the purposes of carrying out its business and related objectives, does and will from time to time, process the Personal Information of living individuals and legal entities, including public and private entities, such as Personal Information relating to employees and staff, prospective employees and job applicants, students and interns, service providers and contractors, vendors, customers, and other third parties.

 

CCBA is obligated to comply with Applicable Data Protection Laws and the data protection conditions set out therein with respect to the processing of all and any Personal Information. This Policy describes how CCBA will discharge its duties to ensure continuing compliance with Applicable Data Protection Laws in general and the information protection conditions and rights of Data Subjects.

2. Key Terms & Definitions

When used in this Policy,

      • Applicable Data Protection Laws” means all applicable laws and regulations in relation to data protection, privacy and/or the recording, monitoring or interception of communication; 
      • CCBA” means Coca-Cola Beverages Africa (Pty) Ltd, its affiliates, controlled subsidiaries and entities in which it either owns a majority interest or manages operations, which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information; 
      • Controlling CCBA Company” means Coca-Cola Beverages Africa (Pty) Ltd; 
      • Data Subject/s” means any living natural person or existing juristic person who can be identified, directly or indirectly, via an identifier such as a name, ID number, registration number, email address, location data etc.; 
      • Information Officer” or “Data Protection Officer” has the meaning as set out in section 5.1 of this Policy; 
      • Personal Information” has the meaning as defined in Applicable Data Protection Laws; 
      • Personnel” means any and all employees, interns, trainees and other employees of any kind who work for CCBA; 
      • Processing” has the meaning as defined in Applicable Data Protection Law; “Process” and “Processed” shall have corresponding meanings; 
      • Operator/s” or “Processor/s” has the meaning as defined in Applicable Data Protection Laws; 
      • Recipient/s” is any natural or legal person, public authority, agency or another body, to which Personal Information is disclosed, whether a third party or not; 
      • Responsible Party” or “Controller” means the party that determines the purpose of and means for processing Personal Information; 
      • Special Personal Information” has the meaning as defined in Applicable Data Protection Laws; 
      • third party” means a natural or legal person, public authority, agency or body other than the Data Subject, and other than the Controlling CCBA Company, Operator / Processor and other persons who, under the direct authority of the Controlling CCBA Company or an Operator / Processor, are authorized to process Personal Information.

3. Basic Principles Of Data Processing

3.1  CCBA, its Personnel and its Operators / Processors respect the privacy rights and interests of each Data Subject and adhere to the following data protection conditions when Processing Personal Information:

  • Accountability: The Responsible Party must ensure compliance with POPIA. A data protection policy must be established. An internal information officer to champion compliance with POPIA must be appointed. 
  • Processing limitation: The collection of Personal Information must:
    – Not be excessive
    Be legally justifiable 
    – Not be collected from third parties without good reason
    The Responsible Party must develop procedures / policies to ensure that Personal Information is processed in a “reasonable manner”.
  • Purpose specification: Personal Information must only be collected in connection with a specific purpose related to the function or activity of the Responsible Party collecting the information. Personal information must not be stored for longer than necessary.
  • Restriction on further processing: Once Personal Information has been collected and lawful processing has occurred, the Responsible Party may only further process that data in limited circumstances. These limited circumstances are determined based on whether the purpose of the further processing is “compatible” with the previously defined purpose. 
  • Information quality: The Responsible Party must ensure that any Personal Information in its possession is complete, accurate, not misleading and updated when necessary. In maintaining information quality, the Responsible Party must consider the purpose for which the Personal Information is collected or further processed.
  • Openness: The Responsible Party must take reasonably practicable steps to ensure that Data Subject are aware that their Personal Information is being processed and the reason for such processing. 
  • Security Safeguards: The Responsible Party must secure the integrity and confidentiality of any Personal Information in its possession or under its control by taking appropriate and reasonable technical and organizational measures to prevent loss, damage, unauthorized destruction of, and unlawful access to the Personal Information in its possession. 
  • Data Subject Participation: Data Subjects must be allowed access to their personal information and to request that Personal Information is corrected, updated or deleted if inaccurate.

 

3.2  Any Personnel acting under the authority of CCBA, who has access to Personal Information, will not process Personal Information except on instructions from CCBA. Access to internal CCBA systems that contain Personal Information is limited to a select group of authorized CCBA Personnel who have a business need to access particular Personal Information. Personnel are given access to such systems through the use of a unique identifier and password and other access control mechanisms. 

 

3.3 Personnel who require permanent or regular access to Personal Information are bound by non-disclosure and confidentiality agreements, instructions and policies intended to protect the confidentiality of Personal Information. 

 

3.4 Appropriate training will be provided to Personnel who have permanent or regular access to Personal Information or who are involved in the Processing of Personal Information. 

4. Purpose Of Data Processing And Justification Basis

4.1 CCBA will Process Personal Information only in the following limited circumstances: • Where the Data Subject, or a competent person where the Data Subject is a child, consents to the Processing; 

  • where the Processing is necessary for CCBA’s performance, execution or termination of a contract to which the relevant Data Subject is a party, or in order to take steps at the request of the Data Subject before entering into such a contract; 
  • where the Processing is necessary for compliance with a legal obligation arising under the law to which CCBA is subject; 
  • where Processing of Personal Information is necessary for the purposes of legitimate interests pursued by CCBA or a third party, unless the interests of the Data Subject are overridden, in the circumstances, by the privacy-related interests or fundamental rights and freedoms of the relevant Data Subject. Legitimate interests could be a lawful basis for Processing, when the Data Subject can reasonably expect at the time and in the context of the collection of his/her Personal Information that Processing for a given purpose may take place. Examples of purposes of Processing that could be based on the legitimate interests include, but are not limited to: fraud detection, responses to requests of individuals, protection of CCBA’s interests (e.g. to respond to requests from government agencies); 
  • where the Processing is necessary in order to protect the vital interests of a Data Subject; or where the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of a public law duty by a public body. 
    •  

4.2 Processing operations falling under one of the points set out in section 4.1 above, notably include the following, and CCBA will use the Personal Information it collected about a Data Subject for the following purposes: • Providing products and services as requested by customers and consumers, including sending of marketing communications to Data Subjects; 

  • Personalising marketing communications to Data Subjects; 
  • Allowing Data Subjects to register and participate in promotions, special offers, loyalty programs, prize draws etc.; 
  • Data analytics to derive trends and improve CCBA products and services; 
  • Concluding contracts and business transactions; 
  • Confirming, verifying and updating Data Subject details; 
  • Managing the CCBA workforce, including providing benefits and entitlements (such as compensation and benefits) to Personnel; 
  • Complying with employment and labour laws, regulations, and requirements; 
  • Communicating with Data Subjects including Personnel, business partners, consumers and customers; 
  • Conducting criminal reference checks and/or conducting credit reference searches or verifications; 
  • Protecting the rights and freedoms of CCBA, its customers, consumers, business partners, and Personnel; 
  • For the detection and prevention of fraud, crime, money laundering or other malpractice; 
  • Processing operations in the context of mergers, acquisitions and other corporate operations; 
  • Complying with legal requirements; 
  • Protecting and enhancing the security and safety of CCBA and individuals including customers, consumers, business partners, and Personnel; or 
  • Processing carried out in the context of the use of cookies and similar technologies.

 

4.3 When the Processing of Personal Information is based on the consent of the Data Subject, CCBA and its Personnel will obtain clear and explicit consent from the Data Subject. 

 

4.4 For consent of minors, the requirements stipulated under section 16 below must be considered in addition. 

 

4.5 CCBA will not process Sensitive Personal Information except where: 

  • The Data Subject has given his/her explicit consent to the Processing for one or more specified purpose; 
  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of CCBA or of the Data Subject (i.e. in the field of employment and social security and legislative obligations); 
  • the Processing is necessary to protect the Data Subject’s “vital interests” and the Data Subject is physically or legally incapable of giving consent; 
  • Processing relates to Personal Information which is manifestly made public by the Data Subject; or 
  • Processing is necessary for the establishment, exercise or defence of legal claims or whenever a regulatory body, agency, or judicial authority requires this in its official capacity.

 

4.6 CCBA will collect and process the following types of Personal Information: 

  • Browser and device information: IP address, MAC address, Google Ad ID, Identity For Advertisers (device ID); 
  • Server log file information; and 
  • Activity / Engagement Personal Information (e.g. data and time of activity on relevant websites, number of times a website is visited, which items are clicked). 

 

4.7 CCBA collects and processes Personal Information in the following ways: 

  • Through the website: We collect Personal Data through the website; 
  • Offline: We collect Personal Information offline, such as when a Data Subject contacts customer service; and 
  • Using cookies: We collect Personal Information when a Data Subject browses the website, by using cookies. Our collection and processing of Personal Information via cookies is governed by our Cookie Policy, which is available here: https://www.ccbagroup.com/coca-cola-beverages-africa-pty-ltd-ccba-cookie-policy/. 

5. Information Officer / Data Protection Officer

5.1 CCBA has a designated information officer / data protection officer (“Information Officer / Data Protection Officer”). The Information Officer / Data Protection Officer can be reached at privacy@ccbagroup.com. 

 

5.2 CCBA has registered the Information Officer / Data Protection Officer in accordance with Applicable Data Protection Laws. 

6. Accountability

6.1 CCBA and its Personnel will monitor and document CCBA’s compliance with this Policy and Applicable Data Protection Laws on an ongoing basis. CCBA and its Personnel will maintain and permanently update a data privacy framework to ensure and be able to demonstrate that Personal Information is Processed in accordance with the requirements of this Policy and Applicable Data Protection Laws. 

 

6.2 CCBA and its Personnel are responsible for demonstrating that they have taken appropriate technical and organizational measures to ensure and able to demonstrate that Processing is performed in accordance with this Policy and the requirements of POPIA. 

7. Information Obligations

7.1 Where Personal Information is collected from a Data Subject, CCBA shall provide the Data Subject with all of the following information at the time when the Personal Information is obtained: 

  • Identity and contact details of CCBA and, where applicable, of CCBA’s representative/s;
  • Contact details of the Information Officer / Data Protection Officer; 
  • Purposes of the Processing for which the Personal Information is intended as well as the legal basis for the Processing; 

  • Where the Processing is based on purposes of legitimate interests pursued by CCBA or by a third party, the legitimate interests pursued by CCBA or by the third party; 

  • Recipients or categories of Recipients of the Personal Information, if any; 

  • Where applicable, the fact that CCBA intends to transfer Personal Information to another country or international organisation, and the existence or absence of an adequacy decision by the relevant data protection authority, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available; 

  •  The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; 

  • The existence of the right to request from CCBA access to and rectification or erasure of Personal Information or restriction of Processing concerning the Data Subject or to object to Processing; 

  • Where the Processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal; 

  • Any third parties that Personal Information is collected from;

  • Right to lodge a complaint with the relevant data protection authority; and 

  • Whether the provision of Personal Information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Information and of the possible consequences of failure to provide such personal information. 

 

7.2 When CCBA intends to further process Personal Information for a purpose other than that for which the Personal Information was collected, CCBA will and shall obtain consent from the Data Subject prior to that further Processing. 

 

7.3 CCBA provides the information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information may be provided in writing or by electronic means, but in any case, without any media interruption. 

8. Rights Of The Data Subject

8.1 CCBA and its Personnel will ensure that Data Subjects are able to exercise their rights with regard to the data Processing, including:

 

  • Right to be informed;
  • Right of access by the Data Subject;
  • Right to rectification;
  • Right to erasure;
  • Right to restriction of Processing;
  • Right to data portability;
  • Right to object against the Processing; and
  • Right to lodge a complaint with the relevant data protection authority. 

 

8.2 CCBA and its Personnel will provide any information and any communication relating to Processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The communication may be provided in writing or by electronic means. 

 

8.3 CCBA and its Personnel will ensure that information or action taken on a request to the Data Subject will be provided without undue delay and in any event within 1 (one) month of receipt of the request. When CCBA and its Personnel do not take action on the request of a Data Subject, CCBA and its Personnel will inform the Data Subject without delay and at the latest within 1 (one) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. 

 

8.4 CCBA and its Personnel will communicate any rectification or erasure of Personal Information or restriction of Processing to each Recipient to whom the Personal Information has been disclosed, unless this proves impossible or involves disproportionate effort. 

9. Accuracy Of Data

Reasonable steps will be taken to ensure the Personal Information is accurate and, where necessary, up to date. Furthermore, CCBA will take every reasonable step to ensure that Personal Information that is inaccurate, having regard to the purposes for which it is Processed, is erased or rectified, as applicable.

10. Transfer Of Personal Information Internationally

10.1 CCBA shall ensure that Personal Information will only be transferred internationally in compliance with the provisions of Applicable Data Protection Laws. Personal Information may be shared within CCBA around the world in accordance with Applicable Data Protection Laws and/or under one or more inter-company agreements which safeguard the integrity of the Personal Information and the privacy rights of the Data Subjects concerned. 

 

10.2 CCBA shall ensure that the transfer of Personal Data internationally will be done in compliance with the provisions of Applicable Data Protection Laws, such as through cross-border data transfer agreements. 

11. Storage & Erasure Of Personal Information

11.1 CCBA will retain Personal Information in a manner consistent with its legal obligations and consistent with its data retention policies and procedures.

 

11.2 CCBA shall ensure that Personal Information is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Information is Processed. 


11.3 CCBA will securely erase Personal Information without undue delay when:

  • the Personal Information is no longer necessary in relation to the purposes for which it was collected or otherwise Processed;
  • the Data Subject withdraws consent on which the Processing is based and where there is no other legal ground for the Processing;
  • the Data Subject objects to the Processing and there are no overriding legitimate grounds for the Processing; or
  • the Personal Information has been unlawfully Processed.


11.4 The principles set out under section 11.3 above will not apply when Processing is necessary for compliance with a legal obligation which requires CCBA to keep Personal Information. 

12. Data Protection By Design and Default

12.1 CCBA will seek to build data protection principles, and in particular adherence to this Policy, into the design of all new (and of significant changes to existing) processes and systems involving the Processing of Personal Information.

13. Operators / Processors & Sharing Of Personal Information

13.1 CCBA will share Personal Information with selected Operators / Processors that deliver products and services.

 

13.2 CCBA will only work with Operators / Processors on the basis of written Operator agreements that set out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Information and categories of Data Subjects and the obligations and rights of CCBA. CCBA and its Personnel will ensure that Operators / Processors:

  • Process Personal Information only on documented instructions from CCBA;
  • Put in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
  • Ensure that persons authorized to process the Personal Information have committed themselves to confidentiality or are under an appropriate obligation of confidentiality;
  • Assist CCBA by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of CCBA’s obligation to respond to requests for exercising the Data Subject’s rights;
  • Assist CCBA in ensuring compliance with legal obligations, in particular, the implementation of technical and organization measures and the notification in case of a Personal Information breach or security incidents;
  • Inform CCBA of any inspection, audit, or inquiry made by any supervisory authority with regard to the Personal Information under its control;
  • Notify CCBA promptly when it reasonably believes that there has been any unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage of Personal Information (“Data Security Breach“);
  • At the election of CCBA, delete or return all Personal Information to CCBA after the end of the provision of services relating to Processing, and that all existing copies are, and

  • Make available to CCBA, all information necessary to demonstrate compliance with the legal obligations and allow for and contribute to audits, including inspections, conducted by CCBA or another auditor mandated by CCBA.

 

13.3 CCBA will maintain and permanently update a list/record of all Operators / Processors. 

 

13.4 CCBA and its Personnel will ensure that Operators / Processors do not engage other Operators / Processors without prior specific or general written authorization of CCBA. 

14. Recipients

14.1 CCBA will disclose Personal Information to third parties when at least one of the following applies:

  • The Data Subject has given his/her consent;
  • Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which CCBA is subject;
  • Processing is necessary in order to protect the vital interests of the Data Subject or of another Data Subject;
  • Processing is necessary for the performance of a public law duty by a public body;
  • Processing is necessary for the purposes of the legitimate interests pursued by CCBA or by a third party; or
  • Where required in an emergency where the health or security of CCBA Personnel is endangered (e.g., an accident at work). 

15. Direct Marketing

15.1 CCBA and its Personnel will process Personal Information to conduct direct marketing when the Data Subject has provided his/her prior express consent and / or as otherwise authorized by Applicable Data Protection Laws. 

16. Children

16.1 CCBA will not allow the Processing of the Personal Information of a minor where the minor is below the age of 18 (eighteen) years.

 

16.2 CCBA and its Personnel will only process Personal Information of a minor if:

  • prior consent is obtained from a competent person (parent or legal guardian);

  • it is necessary for the establishment, exercise or defence of a right or obligation in law;

  • it is necessary to comply with an obligation of international public law. 

17. Complaint Handling / Enforcement Process

17.1 CCBA has appointed an Information Officer / Data Protection Officer, who enforces compliance with this Policy.

 

17.2 CCBA and its Personnel are responsible for observing this Policy. Non-compliance with this Policy may result in disciplinary sanctions, dismissal, or any other type of sanction permitted by applicable law. 

 

17.3 If at any time any person subject to this Policy believes that Personal Information is or have been Processed in violation of this Policy, he/she must report the concern to the CCBA Information Officer / Data Protection Officer by e-mail at privacy@ccbagroup.com

 

17.4 If any Personnel believes that he/she is not able to comply with this Policy because of legal requirements or instructions given to him/her, he/she should immediately report that information to the Privacy Office. The CCBA Privacy Office, in cooperation with other appropriate Personnel, will take necessary and appropriate steps and provide additional relevant guidance. 

18. Data Security

18.1 CCBA and its Personnel will take appropriate and commercially reasonable technical and organizational measures to protect Personal Information against unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage, and ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 

 

18.2 CCBA is obliged to implement technical and organizational security measures for Processing of any Personal Information. 

 

18.3 Technical measures are those that directly involve the IT system. Organizational measures, on the other hand, relate to the system’s environment and particularly to the Personnel using it. 

19. Data Protection, Breaches & Security Incidents

19.1 If at any time Personnel become aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information or believes that Personal Information is or has been Processed in violation of this Policy, he/she should immediately report the concern to the CCBA Information Officer / Data Protection Officer by e-mail at privacy@ccbagroup.com.

 

19.2 CCBA will inform affected Data Subjects without undue delay of any such breach of security which is likely to result in a high risk to their privacy, providing them with appropriate information about the breach, including all information required under Applicable Data Protection Laws. 

 

19.3 In the case of a Personal Information breach affecting Data Subjects, CCBA will without undue delay after having become aware of it, notify the Personal Information breach to the relevant data protection authority. 

20. Obligations Towards Data Protection Authority

20.1 CCBA and, where applicable, its representatives, will cooperate, on request, with the relevant data protection authority in the performance of its tasks. CCBA commits to cooperate with the relevant data protection authority to address any complaints and comply with the advice or orders given by the relevant data protection authority. 

 

20.2 CCBA will respond diligently and appropriately to inquiries from the relevant data protection authority. 

 

20.3 All inquiries relating to this Policy should be directed to the Privacy Office and the Information Officer / Data Protection Officer: privacy@ccbagroup.com

21. Implementation of and Modifications to this Policy

21.1 This Policy will come into effect on 1 July 2021. This Policy will be published on the CCBA website. CCBA is committed to communicating this Policy to and how it may be accessed by all current and new Personnel. Each CCBA Personnel is obliged to take notice and review this Policy including any amendments of this Policy in future. 


21.2 CCBA reserves the right to modify this Policy as needed, for example, to comply with changes in laws, regulations, CCBA practices and procedures, or requirements imposed by relevant data protection authorities. CCBA will post all changes to this Policy on relevant websites. 

22. Contact Us

Visit our contact page.

Version: 21 October 2021

CCBA PAIA