Privacy Centre

Version: March 2023

CCBA Privacy Notice

Download
Download

Coca-Cola Beverages Africa Proprietary Limited (“CCBA”) is committed to protecting your privacy and ensuring that your personal information is collected and used appropriately, lawfully and transparently in compliance with applicable data protection laws.

This Privacy Notice (“Notice”) explains how we obtain, process and disclose your personal information and aims to inform you of your rights and how to exercise them. 

This Notice sets out:

  • Who we are
  • What personal information we collect
  • How we use your personal information
  • To whom we may disclose your personal information to
  • How we safeguard your personal information
  • Your rights in relation to your personal information
  • Changes to this Notice
  • How to contact us

Who we are

CCBA is the 8th largest Coca-Cola bottling partner worldwide and the biggest on the African continent. CCBA serves 15 countries in Africa including: The Republic of South Africa, the Kingdom of Eswatini, the Kingdom of Lesotho, the Republic of Ghana, the Republic of Kenya, the Federal Democratic Republic of Ethiopia, the Republic of Mozambique, the United Republic of Tanzania, the Republic of Uganda, the Republic of Namibia, the Department of Mayotte, the Union of the Comoros, the Republic of Botswana, the Republic of Zambia and the Republic of Malawi.

CCBA is a South African company with its registered address at Waterfront Business Park, Building 7, Pommern Street, Humerail, Gqeberha, 6001.

In this Notice, reference to CCBA shall include Coca-Cola Beverages Africa (Pty) Ltd, its affiliates, controlled subsidiaries and entities in which it either owns a majority interest or manages operations. 

For the purposes of applicable data protection laws, CCBA shall be a “responsible party” in respect of your personal information. This means that CCBA is responsible for deciding how it holds and uses your personal information. This includes ensuring that CCBA uses your personal information in compliance with applicable data protection laws and in accordance with CCBA’s data protection policies, as amended from time to time.

What personal information we collect

For the purposes of this Notices, “personal information” includes any information relating to an identifiable, living, natural person or an identifiable, existing juristic person.  In essence, this is any information or data that can be used to identify you or that CCBA can link to you and which information CCBA has in its possession and/or under its control.  It does not include data where the identifiable information has been removed or anonymised. 

There are also certain types of more sensitive personal information, referred to as “special personal information” or “sensitive personal information”, which requires a higher level of protection.  Special or sensitive personal information includes, but is not limited to, information about a person’s health, sexual orientation or criminal convictions.

We will collect and process the following personal information:

  • Contact details: such as name, address, phone number, email address, country of residence, emergency contact details, as well as professional contact details such as company and job title;
  • Correspondence: such as the content, date and time of emails, chats, social media messages and other communications with you;
  • Login credentials: such as your username and (hashed) password, recovery email address, secret questions, and security logs;
  • Payment information: such as your (company) bank account number, invoices and other information necessary to make or receive payments;
  • Personal characteristics: such as age, gender, date of birth, place of birth, civil status and nationality.
  • Preferences: such as your personal preferences for our products and services, lifestyle and social circumstances, family circumstances (for example, your marital status and dependents), languages and marketing preferences;
  • Customer and vendor classification information: such as unique categories defined by the size, sector, geographical location and other parameters;
  • Transaction information: such as your purchases, customer account information, order and contract information, delivery details, billing and financial data, creditworthiness and transaction history;
  • User-generated content: such as your postings on any blogs, forums, wikis and any other social media applications and services that we provide;
  • Public information: including information that is available on the Internet, such as social media information, public records and news reports;
  • Vendor screening information: such as professional qualifications, licenses and certificates, work permits, government identification documents, potential conflicts of interest, and ultimate beneficial ownership, each as permitted or required by applicable law;
  • Referral and business leads: such as contact details about referrals and business leads received from business partners;
  • Stakeholder data: such as information about public authority figures and other stakeholders collected from agencies or public sources;
  • Website and service usage information: such as the host name and IP address of your device, your browser type and version, your operating system, the pages you visit, the time and duration of your visit and the website that referred you to us;
  • Cookies: small data files that are placed on your computer or mobile device when you visit a website or use an online service. We may use cookies and similar technologies on our websites and other services. For more information about our use of cookies, please see our Cookie Policy; or
  • Video footage: such as information captured on security systems, including closed circuit television (“CCTV”).

How we use your personal information

Personal information may be processed by CCBA for the following reasons:

  • Providing products and services as requested by customers and consumers, including product and service delivery, customer service and support, account and billing management, and to provide other related services;
  • Managing our ongoing relationship with you, including managing contractual or other obligations, interacting and communicating with you about our products or services, as well as special offers and promotions;
  • Allowing you to register and participate in promotions, special offers, loyalty programs, prize draws etc.;
  • Data analytics to derive trends and to improve our products and services;
  • Concluding contracts and business transactions;
  • Confirming, verifying and updating your details;
  • Managing our workforce, including providing benefits and entitlements (such as compensation and benefits) to personnel;
  • Complying with employment and labour laws, regulations and requirements;
  • Communicating with you, including personnel, business partners, consumers and customers;
  • Screening and evaluating prospective personnel, vendors and business partners to ensure their compliance with applicable legal requirements, industry standards and our policies;
  • Protecting the rights and freedoms of CCBA, its customers, consumers, business partners, and personnel;
  • For the detection and prevention of fraud, crime, money laundering or other malpractice;
  • Processing operations in the context of mergers, acquisitions and other corporate operations;
  • Complying with legal requirements;
  • Protecting and enhancing the security and safety of CCBA and individuals including customers, consumers, business partners and personnel; or
  • Processing carried out in the context of the use of cookies and other similar technologies.

Under applicable data protection laws , CCBA may only use your personal information in the following ways:

  • Consent: when required, we may process your personal information by obtaining your consent. You can withdraw your consent at any time by contacting us (see our contact information below);
  • Contractual necessity: we may need to process your personal information in order to enter into a contract with you or to perform our obligations under a contract with you;
  • Legitimate interest: we may process your personal information for your or our legitimate interest/s;
  • Legal obligation: we may process your personal information as necessary for compliance with a legal obligation arising under applicable law to which CCBA is subject; or
  • Public and vital interest: we may process your personal information where it is necessary in order to protect your vital interests or for the performance of a task carried out in the public’s interest.

We will only use your personal information for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is lawful and compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so, or if required, seek your consent. 

Please note that we may process your personal information without your knowledge or consent in compliance with the above rules, where required or permitted by law.

To whom we may disclose your personal information

CCBA may share your personal information with:

  • Other members of the CCBA group of companies;
  • Third parties contracted or mandated by CCBA, including service providers, contractors or agents, for the purposes listed above, for example sales and distribution partners, credit reference and fraud prevention agencies and outlet surveyors;
  • Relevant authorities, to the extent required by law, regulation or court order, for example CCBA is under a duty to disclose personal information in order to comply with certain legal or regulatory obligations;
  • Acquirers, successors, or assignees of CCBA as part of any merger, acquisition, debt financing, sale of assets, or similar transaction; and 
  • Advisors and legal counsel in order to establish, exercise or defend CCBA’s rights, for example if CCBA needs to obtain external legal advice or provide personal information in connection with judicial proceedings.

Where personal information is disclosed to third parties, we will take steps to ensure that such personal information is accessed only by those persons who need to do so for the purposes described in this Notice and that appropriate security measures are in place to protect your personal information in line with applicable data protection laws and our policies. 

We do not allow our third party service providers, contractors or agents to use your personal information for their own purposes; we only permit them to process your personal information for specified purposes and strictly in accordance with our instructions.

How we safeguard your personal information

We will take appropriate technical and organisational security and other measures to ensure that the integrity of the personal information in our possession, or under our control, is secure and protected against unauthorised or unlawful access, use, acquisition, disclosure, interference, modification, accidental loss, destruction, disclosure or damage. We will, on an ongoing basis, continue to review our controls and related processes to ensure that your personal information is secure.

When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that the personal information we are responsible for is kept secure.

We may transfer your personal information to another country for processing or storage. We will ensure that personal information transferred internationally is done so in accordance with applicable data protection laws and / or under appropriate agreements which safeguard the integrity of your personal information.

Your rights in relation to personal information

You have a number of legal rights in relation to the personal information that we hold about you. 

These rights include:

  • The right to be informed and provided with clear, transparent and easily understandable information about how we use your personal information and your rights in respect thereof.  Please note that this Notice constitutes such information;
  • The right to access the personal information that we hold about you. Please note that any such access request may be subject to a payment of a legally allowable fee and we will let you know what it is at the time of your request; 
  • The right to request that we rectify any of your personal information that we process in accordance with this Notice. The personal information that you may request us to rectify includes personal information that is inaccurate, irrelevant, excessive, out of date, incomplete or misleading, or which was obtained unlawfully or that we are no longer authorised to retain; 
  • The right to request that we destroy or delete any of your personal information that we have processed in accordance with this Notice.  Please note that there may be circumstances where you ask us to erase your personal information, but CCBA is legally entitled or obliged to retain such information and we are therefore entitled to refuse your request; 
  • The right to object on reasonable grounds, and the right to request that we restrict our processing of your personal information relating to your particular situation, unless the processing is required by law.  Again, there may be circumstances where you object to, or ask us to restrict our processing of your personal information, but CCBA is legally entitled or obliged to continue processing your personal information and is therefore entitled to refuse your request. However, you may raise an objection if you are of the view that the processing of your personal information is not necessary to pursue your or our legitimate interests;
  • The right to receive your personal information held by CCBA, in an organized, commonly used machine-readable format; 
  • The right not to be subject to a decision which is based solely on automated processing and which produces legal or other significant effects on you; and
  • The right to lodge a complaint with the relevant data protection authority if you think that any of your rights have been infringed by us.

You can exercise your rights by contacting CCBA in writing, using the contact information set out below. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information, or to exercise your rights.

Changes to this Notice

Please note that we may amend this Notice from time to time. Please check our website periodically to inform yourself of any changes.

How to contact us

If you would like further information regarding this Notice, please address your questions, comments and/or requests to privacyoffice@ccbagroup.com for the attention of the Information Officer, who is responsible for overseeing compliance with this Notice.

Version: March 2023

CCBA Privacy Policy

Download
Download

Coca-Cola Beverages Africa (Pty) Ltd

(Registration Number 2016/050997/07)

Coca-Cola Beverages Africa (Pty) Ltd, its affiliates, controlled subsidiaries and entities in which it either owns a majority interest or manages operations (collectively referred to as “CCBA”) respects the privacy of its stakeholders and is committed to protecting such privacy in accordance with Applicable Data Protection Laws. 

This Privacy Policy (“Policy”) sets out the minimum basis for which CCBA, its Personnel and/or its Operators may Process Personal Information and further provides for appropriate and consistent safeguards for Processing Personal Information.

Contents

  1. Introduction
  2. Key Terms and Definitions
  3. Basic Principles of Processing
  4. Purpose of Data Processing and Justification Basis
  5. Information Officer 
  6. Rights of the Data Subject
  7. Transfer of Personal Information Internationally
  8. Storage and Erasure of Personal Information
  9. Operators and Sharing of Personal Information 
  10. Recipients
  11. Direct Marketing
  12. Children
  13. Data Security
  14. Privacy and Information Security Incidents
  15. Obligations Towards Data Protection Authority
  16. Implementation of and Modifications to this Policy
  17. Contact Us

1. Introduction

CCBA for the purposes of carrying out its business and related objectives, does and will from time to time, Process the Personal Information of living individuals and legal entities (including public and private entities), employees and staff, prospective employees and job applicants, students and interns, service providers and contractors, vendors, customers, and other third parties. 

CCBA is obligated to comply with Applicable Data Protection Laws and the data protection conditions set out therein with respect to the processing of all and any Personal Information. This Policy describes how CCBA will discharge its duties to ensure continuing compliance with Applicable Data Protection Laws in general and the information protection conditions and rights of Data Subjects.

2. Key Terms & Definitions

2.1 When used in this Policy,

  • Applicable Data Protection Laws” means all national, state or local laws, regulations, ordinances, or other government standards relating to the privacy, confidentiality or security of Personal Information, including any imposing rules regarding minimum security requirements, for the secure disposal of Personal Information, a prohibition of unauthorized access, acquisition or use of Personal Information, or any laws governing data privacy, data security or data retention generally; 
  • CCBA” means Coca-Cola Beverages Africa (Pty) Ltd, its affiliates, controlled subsidiaries and entities in which it either owns a majority interest or manages operations, which alone or jointly with others, determines the purposes and means of the Processing of Personal Information;
  • Controlling CCBA Company” means Coca-Cola Beverages Africa (Pty) Ltd;
  • Data Subject/s” means a data subject as defined in terms of Applicable Data Protection Laws;
  • Information Officer” means an information officer or data protection officer as defined in terms of Applicable Data Protection Laws;
  • Personal Information” means any information defined as personal information or personal data in terms of Applicable Data Protection Laws, and that is recorded in any form, and includes without limitation, information related to: 
    – race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth;
    – education, medical, financial, criminal or employment history;
    – any identifying number, symbol, e-mail address, physical address, telephone, number, location information, online identifier or other particular assignment;
    – biometric information of the Data Subject;
    – the personal opinions, views or preferences of the Data Subject;
    – correspondence sent by the Data Subject that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
    – views or opinions of another individual about the Data Subject;
    – the name of the Data Subject if it appears with other Personal Information relating to the Data Subject or if the disclosure of the name itself would reveal information about the Data Subject; and
    – any information categorised as “Sensitive Personal Information” or “Special Personal Information” under Applicable Data Privacy Laws;
  • Personnel” means any and all employees, interns, trainees and other employees of any kind who are employed by CCBA;
  • Processing” has the meaning as defined in Applicable Data Protection Laws and the terms “Process” and “Processed” shall have corresponding meanings;
  • Operator/s” means a person who Processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party, and includes a “Processor” or “Data Processor” as such term(s) may be defined in Applicable Data Protection Laws; 
  • Recipient/s” is any natural or legal person, public authority, agency or another body, to which Personal Information is disclosed, whether a third party or not;
  • Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information and includes a “Controller” as such term may be defined in Applicable Data Protection Laws; and 
  • third party” means a natural or legal person, public authority, agency or body other than the Data Subject and other than the Controlling CCBA Company, Operator and other persons who, under the direct authority of the Controlling CCBA Company or an Operator, are authorized to Process Personal Information.

3. Basic Principles Of Data Processing

3.1 CCBA, its Personnel and its Operators respect the privacy rights and interests of each Data Subject and adhere to the following data protection conditions when Processing Personal Information:

  • Accountability: The Responsible Party must ensure compliance with Applicable Data Protection Laws. A privacy compliance framework must be established. An internal Information Officer to champion compliance with Applicable Data Protection Laws must be appointed.
  • Processing limitation: The collection of Personal Information must:
    – Be with the consent of the Data Subject
    – Not be excessive
    – Be legally justifiable
    – Not be collected from third parties without a legitimate purpose
  • The Responsible Party must develop procedures / policies to ensure that Personal Information is processed in a reasonable manner.
  • Purpose specification: Personal Information must only be collected in connection with a specific purpose related to the function or activity of the Responsible Party collecting the information. Personal information must not be stored for longer than necessary.
  • Restriction on further processing: Once Personal Information has been collected and lawful Processing has occurred, the Responsible Party may only further Process that data in limited circumstances. These limited circumstances are determined based on whether the purpose of the further Processing is compatible with the previously defined purpose.
  • Information quality: The Responsible Party must ensure that any Personal Information in its possession is complete, accurate, not misleading and updated when necessary. In maintaining information quality, the Responsible Party must consider the purpose for which the Personal Information is collected or further Processed.
  • Openness: The Responsible Party must take reasonably practicable steps to ensure that Data Subjects are aware that their Personal Information is being Processed and the reason for such Processing.
  • Security Safeguards: The Responsible Party must secure the integrity and confidentiality of any Personal Information in its possession or under its control by taking appropriate and reasonable technical and organizational measures to prevent loss, damage, unauthorized destruction of, and unlawful access to the Personal Information in its possession.
  • Data Subject Participation: Data Subjects must be allowed access to their Personal Information and to request that their Personal Information is corrected, updated or deleted if inaccurate.
3.2 Any Personnel and/or Operators acting under the authority of CCBA, who have access to Personal Information, will not process Personal Information except on instructions from CCBA. Access to internal CCBA systems that contain Personal Information shall be limited to a select group of authorized CCBA Personnel and/or Operators who have a business need to access particular Personal Information. Personnel and Operators are given access to such systems through the use of a unique identifier and password and other access control mechanisms.
3.3 Personnel and Operators who require permanent or regular access to Personal Information are bound by non-disclosure and confidentiality agreements, instructions and policies intended to protect the confidentiality of Personal Information.
3.4 Appropriate training will be provided to Personnel who have permanent or regular access to Personal Information or who are involved in the Processing of Personal Information.

4. Purpose Of Data Processing And Justification Basis

4.1 CCBA will Process Personal Information only in the following limited circumstances:

  • Consent: where the Data Subject, or a competent person where the Data Subject is a minor, consents to the Processing;
  • Contractual Necessity: where the Processing is necessary for CCBA’s performance, execution or termination of a contract to which the relevant Data Subject is a party, or in order to take steps at the request of the Data Subject before entering into such a contract;
  • Legal Obligation: where the Processing is necessary for compliance with a legal obligation arising under a law to which CCBA is subject;
  • Legitimate Interest: where Processing of Personal Information is necessary for the purposes of legitimate interests pursued by CCBA or a third party, unless the interests of the Data Subject are overridden, in the circumstances, by the privacy-related interests or fundamental rights and freedoms of the relevant Data Subject. Legitimate interests could be a lawful basis for Processing, when the Data Subject can reasonably expect at the time and in the context of the collection of his/her Personal Information that Processing for a given purpose may take place. Examples of purposes of Processing that could be based on the legitimate interests include, but are not limited to fraud detection, responses to requests of individuals, protection of CCBA’s interests (e.g. to respond to requests from government agencies);
  • Vital Interest: where the Processing is necessary in order to protect the vital interests of a Data Subject; or
  • Public Interest: where the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of a public law duty by a public body.

4.2 Processing operations falling under one of the points set out in section 4.1 above, notably include the following, and CCBA will use the Personal Information it collected about a Data Subject for the following purposes:

  • Providing products and services as requested by customers and consumers, including product and service delivery, customer service and support, account and billing management and to provide other related services;
  • Managing CCBA’s ongoing relationship with Data Subjects, including managing contractual or other obligations, interacting and communicating with Data Subjects about CCBA products or services as well as special offers and promotions;
  • Allowing Data Subjects to register and participate in promotions, special offers, loyalty programs, prize draws etc.;
  • Data analytics to derive trends and to improve CCBA products and services;
  • Concluding contracts and business transactions;
  • Confirming, verifying and updating Data Subject details;
  • Managing the CCBA workforce, including providing benefits and entitlements (such as compensation and benefits) to Personnel;
  • Complying with employment and labour laws, regulations, and requirements;
  • Communicating with Data Subjects including Personnel, business partners, consumers and customers;
  • Screening and evaluating prospective Personnel, vendors and business partners to ensure their compliance with applicable legal requirements, industry standards and CCBA policies;
  • Protecting the rights and freedoms of CCBA, its customers, consumers, business partners, and Personnel;
  • For the detection and prevention of fraud, crime, money laundering or other malpractice;
  • Processing operations in the context of mergers, acquisitions and other corporate operations;
  • Complying with legal requirements;
  • Protecting and enhancing the security and safety of CCBA and individuals including customers, consumers, business partners, and Personnel; or
  • Processing carried out in the context of the use of cookies and other similar technologies.
4.3 When the Processing of Personal Information is based on the consent of the Data Subject, CCBA and its Personnel will obtain clear and explicit consent from the Data Subject.
4.4 For the consent of minors, the requirements stipulated under section 12 below must be considered in addition.

4.5 CCBA will not process Special or Sensitive Personal Information except where:

  • The Data Subject has given his/her explicit consent to the Processing for one or more specified purpose;
  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of CCBA or of the Data Subject (i.e. in the field of employment and social security and legislative obligations);
  • the Processing is necessary to protect the Data Subject’s vital interests and the Data Subject is physically or legally incapable of giving consent;
  • Processing relates to Personal Information which is manifestly made public by the Data Subject; or
  • Processing is necessary for the establishment, exercise or defence of legal claims or whenever a regulatory body, agency, or judicial authority requires this in its official capacity.

4.6 CCBA will collect and Process, inter alia, the following types of Personal Information:

  • Contact details: such as name, address, phone number, email address, country of residence, emergency contact details as well as professional contact details, such as company and job title.
  • Correspondence: such as the content, date and time of emails, chats, social media messages and other communications with Data Subjects.
  • Login credentials:  such as username and (hashed) password, recovery email address, secret questions and security logs.
  • Payment information:  such as (company) bank account number, invoices, and other information necessary to make or receive payments.
  • Personal characteristics: such as age, gender, date of birth, place of birth, civil status and nationality.
  • Preferences: such as personal preferences for CCBA products and services, lifestyle and social circumstances, family circumstances (for example, marital status and dependents), languages and marketing preferences.
  • Customer and vendor classification information: such as unique categories defined by the size, sector, geographical location and other parameters.
  • Transaction information: such as purchases, customer account information, order and contract information, delivery details, billing and financial data, creditworthiness and transaction history.
  • User-generated content: such as postings on any blogs, forums, wikis and any other social media applications and services that we provide.
  • Public information: including information that is available on the Internet, such as social media information, public records and news reports.
  • Vendor screening information: such as professional qualifications, licenses and certificates, work permits, government identification documents, potential conflicts of interest, and ultimate beneficial ownership, each as permitted or required by applicable law.
  • Referral and business leads: such as contact details about referrals and business leads received from business partners.
  • Stakeholder data: such as information about public authority figures and other stakeholders collected from agencies or public sources.
  • Website and service usage information: such as the host name and IP address of a device, browser type and version, operating system, the pages visited, the time and duration of visits and the referring website.
  • Cookies: small data files that are placed on a computer or mobile device when a Data Subject visits a website or uses an online service. CCBA may use cookies and other similar technologies on CCBA websites and other services. For more information about CCBA’s use of cookies, please see the CCBA Cookie Policy.
  • Video footage: such as information captured on security systems, including closed circuit television (“CCTV”).

4.7 CCBA may collect Personal Information about a Data Subject directly from the Data Subject, from third parties, agencies, public sources such as information available on the internet, as well as automatically, such as through the use of the CCBA website.

5. Information Officer

5.1 CCBA has appointed an Information Officer who champions compliance with Applicable Data Protection Laws and this Policy on behalf of CCBA. The Information Officer can be reached at privacyoffice@ccbagroup.com.
5.2 CCBA has registered the Information Officer in accordance with Applicable Data Protection Laws.

6. Rights Of The Subject Data

6.1 CCBA and its Personnel will ensure that Data Subjects are able to exercise their rights with regard to the Processing of Personal Information, including the:

  • Right to be notified; 
  • Right of access by the Data Subject;
  • Right to rectification;
  • Right to erasure;
  • Right to restriction of Processing;
  • Right to data portability;
  • Right to object against the Processing; 
  • Right not to be subject to automated decision making; and
  • Right to lodge a complaint with the relevant data protection authority.

6.2 Data Subjects may exercise their rights at any time by sending an email to
privacyoffice@ccbagroup.com.

7. Transfer Of Personal Information Internationally

7.1 CCBA shall ensure that Personal Information will only be transferred internationally in compliance with the provisions of Applicable Data Protection Laws.  Personal Information may be shared internationally in accordance with Applicable Data Protection Laws and/or under one or more agreements which safeguard the integrity of the Personal Information and the privacy rights of the Data Subject/s concerned.

8. Storage & Erasure Of Personal Information

8.1 CCBA will retain Personal Information in a manner consistent with its legal obligations and consistent with its data retention policies and procedures.
8.2 CCBA shall ensure that Personal Information is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Information is Processed.

8.3 CCBA will securely erase Personal Information when:

  • the Personal Information is no longer necessary in relation to the purposes for which it was collected or otherwise Processed;
  • the Data Subject withdraws consent on which the Processing is based and where there is no other legal ground for the Processing;
  • the Data Subject objects to the Processing and there are no overriding legitimate grounds for the Processing; or
  • the Personal Information has been unlawfully Processed.
8.4 The principles set out under section 8.3 above will not apply when Processing is necessary for compliance with a legal obligation which requires CCBA to keep Personal Information.

9. Operators & Sharing Of Personal Information

9.1 CCBA will share Personal Information with selected Operators that deliver products and services.
9.2 CCBA will only work with Operators on the basis of written agreements that set out the purposes of the Processing and established data protection requirements. CCBA and its Personnel will ensure that Operators comply with their obligations under the agreements with CCBA and Applicable Data Protection Laws.

10. Recipients

10.1 CCBA will disclose Personal Information to recipients when at least one of the following applies:

  • The Data Subject has given his/her consent;
  • Processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which CCBA is subject;
  • Processing is necessary in order to protect the vital interests of the Data Subject or of another Data Subject;
  • Processing is necessary for the performance of a public law duty by a public body;
  • Processing is necessary for the purposes of the legitimate interests pursued by CCBA or by a third party; or
  • Where required in an emergency where the health or security of a Data Subject is endangered (e.g., an accident at work).

11. Direct Marketing

11.1 CCBA and its Personnel will Process Personal Information to conduct direct marketing when the Data Subject has provided his/her prior express consent and/or as otherwise authorized by Applicable Data Protection Laws.

12. Children

12.1 CCBA will not allow the Processing of the Personal Information of a minor where the minor is below the age of 18 (eighteen) years.

12.2 CCBA and its Personnel will only Process Personal Information of a minor if: 

  • prior consent is obtained from a competent person (parent or legal guardian);
  • it is necessary for the establishment, exercise or defence of a right or obligation in law;
  • it is necessary to comply with an obligation of international public law.

13. Data Security

13.1 CCBA will take appropriate technical and organisational security and other measures to ensure that the integrity of the Personal Information in its possession or under its control is secure and protected against unauthorised or unlawful access, use, acquisition, disclosure, interference, modification, accidental loss, destruction, disclosure or damage.

14. Privacy & Information Security Incidents

14.1 If at any time, any person becomes aware of any privacy or information security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information or believes that Personal Information is or has been Processed in violation of this Policy, he/she must immediately report the concern to the CCBA Information Officer by e-mail at privacyoffice@ccbagroup.com.
14.2 CCBA will inform affected Data Subjects without undue delay of any such breach of security which is likely to result in a high risk to their privacy, providing them with appropriate information about the breach, including all information required under Applicable Data Protection Laws.
14.3 In the case of a Personal Information breach affecting Data Subjects, CCBA will without undue delay after having become aware of it, notify the Personal Information breach to the relevant data protection authority.

15. Obligations Towards Data Protection Authority

15.1 CCBA and, where applicable, its representatives, will cooperate, on request, with the relevant data protection authority in the performance of its tasks. CCBA commits to cooperate with the relevant data protection authority to address any complaints and comply with the advice or orders given by the relevant data protection authority.
15.5 CCBA will respond diligently and appropriately to inquiries from the relevant data protection authority.

16. Implementation Of & Modifications To This Policy

16.1 CCBA reserves the right to modify this Policy as needed, for example, to comply with changes in laws, regulations, CCBA practices and procedures or requirements imposed by relevant data protection authorities. CCBA will post all changes to this Policy on its websites.

17. Contact Us

CCBA welcomes any questions, comments, and concerns about privacy. Any questions about this Privacy Policy or CCBA data practices may be emailed to privacyoffice@ccbagroup.com.

Version: 21 October 2021

CCBA PAIA Manual

Download
Download
CCBA_Logo_White

Company

Legal

Other Sites

© Copyright CCBA 2025 | All Rights Reserved
CCBA_Logo_White

Company

Legal

Other Sites

© Copyright CCBA 2025 | All Rights Reserved
© Copyright CCBA 2025 | All Rights Reserved