Coca-Cola Beverages Africa (Pty) Ltd, its affiliates, controlled subsidiaries and entities in which it either owns a majority interest or manages operations (collectively referred to as “CCBA”) respect the privacy of individuals and are committed to protecting individual privacy.
This Policy applies to all Personnel of CCBA.
- Key Terms and Definitions
- Basic Principles of Data Processing
- Purpose of Data Processing and Justification Basis
- Information Officer
- Information Obligations
- Rights of the Data Subject
- Accuracy of Data
- Transfers of Personal Information to Foreign Countries
- Storage and Erasure of Personal Information
- Data protection by Design and by Default
- Direct Marketing
- Complaint Handling/Enforcement Process
- Data Security
- Data protection Breaches and Security Incidents
- Obligations Towards Data Protection Authority
- Implementation of and Modifications to this Policy
CCBA for the purposes of carrying out its business and related objectives, does and will from time to time, process the Personal Information of living individuals and legal entities, including public and private entities, such as Personal Information relating to employees and staff, prospective employees and job applicants, students and interns, service providers and contractors, vendors, customers, and other third parties.
CCBA is obligated to comply with Applicable Data Protection Laws and the data protection conditions set out therein with respect to the processing of all and any Personal Information.
This Policy describes how CCBA will discharge its duties to ensure continuing compliance with Applicable Data Protection Laws in general and the information protection conditions and rights of Data Subjects.
2. KEY TERMS AND DEFINITIONS
- When used in this Policy,
- “Applicable Data Protection Laws” means all applicable laws and regulations in relation to data protection, privacy and/or the recording, monitoring or interception of communication;
- “CCBA” means Coca-Cola Beverages Africa (Pty) Ltd, its affiliates, controlled subsidiaries and entities in which it either owns a majority interest or manages operations, which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information;
- “Controlling CCBA Company” means Coca-Cola Beverages Africa (Pty) Ltd;
- “Data Subject/s” means an identified or identifiable individual; an identifiable Data Subject is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject;
- “Information Officer” has the meaning as set out in section 5.1 of this Policy;
- “Personal Information” means information relating to any identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, namely the Data Subject, including, but not limited to-
- Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the Data Subject;
- Information relating to the education or the medical, financial, criminal or employment history of the Data Subject;
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other assignment to the Data Subject;
- The biometric information of the Data Subject;
- The individual opinions, views or preferences of the Data Subject;
- Correspondence sent by the Data Subjectthat is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- The views or opinions of another individual about the Data Subject;
- The name of the Data Subjectif it appears with other Personal Information relating to the Data Subjector if the disclosure of the name itself would reveal information about the Data Subject;
- “Personnel” means any and all employees, interns, trainees and other employees of any kind who work for CCBA;
- “Processing” means any operation or activity or any set of operations, whether by automatic means, concerning Personal Information, including-
- The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- Dissemination by means of transmission, distribution or making available in any other form; or
- Merging, linking, as well as restriction, degradation, erasure or destruction of information;
- Sharing with, transfer and further processing, to and with such information.
“Process” and “Processed” shall have corresponding meanings;
- “Operator/s” means a natural person or a juristic person who processes Personal Information on behalf of CCBA in terms of a contract or mandate, without coming under the direct authority of CCBA;
- “Recipient/s” is any natural or legal person, public authority, agency or another body, to which Personal Information is disclosed, whether a third party or not;
- “Responsible Party” means CCBA, including without detracting from the generality thereof, its directors, management, executives, HR practitioners, payroll department, core benefits provider, medical aid department, retirement funding department, internal auditors, legal practitioners and compliance officers, company secretary, and all other employees and Operators who need to process Personal Information for CCBA;
- “Special Personal Information” includes any information relating to an individual’s ethnicity, gender, religious or other beliefs, political opinions, membership of a trade union, sexual orientation, medical history, offences committed or alleged to have been committed by that individual, biometric details and, children’s details;
- “third party” means a natural or legal person, public authority, agency or body other than the Data Subject, and other than the Controlling CCBA Company, Operator and other persons who, under the direct authority of the Controlling CCBA Company or a Operator, are authorized to process Personal Information.
3. BASIC PRINCIPLES OF DATA PROCESSING
- CCBA, its Personnel and Operators respect the privacy rights and interests of each Data Subject and adhere to the following data protection conditions when Processing Personal Information:
- Principles of lawfulness, fairness and transparency: Personal Information shall be Processed lawfully, fairly and in a reasonable manner that does not infringe the privacy of the Data Subject;
- Principle of purpose limitation: Personal Information shall be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes;
- Principle of data minimisation: Personal Information shall be adequate, relevant and limited to what is necessary in relation to the purposes for which the Personal Information is Processed;
- Principle of accuracy: Personal Information shall be as accurate and complete as possible; every reasonable step must be taken to ensure that Personal Information that is inaccurate, having regard to the purposes for which it is Processed, updated or erased;
- Principle of storage limitation: Personal Information shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Information is Processed;
- Principle of integrity and confidentiality: Personal Information shall be Processed in a manner that ensures appropriate security of the Personal Information, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
- Principal of Data Subject participation: Personal Information shall be processed in accordance with the rights of data subjects under Applicable Data Protection Laws; and
- Principle of accountability: CCBA is responsible for and must be able to demonstrate compliance with the preceding
- Any Personnel acting under the authority of CCBA, who has access to Personal Information, will not process Personal Information except on instructions from CCBA. Access to internal CCBA systems that contain Personal Information is limited to a select group of authorized CCBA Personnel who have a business need to access particular Personal Information. Personnel are given access to such systems through the use of a unique identifier and password and other access control
- Personnel who require permanent or regular access to Personal Information are bound by non-disclosure and confidentiality agreements, , instructions and policies intended to protect the confidentiality of Personal Information.
- Appropriate training will be provided to Personnel who have permanent or regular access to Personal Information or who are involved in the Processing of Personal Information.
4. PURPOSE OF DATA PROCESSING AND JUSTIFICATION BASIS
- CCBA will Process Personal Information only in the following limited circumstances:
- Where the Data Subject, or a competent person where the Data Subject is a child, consents to the Processing;
- where the Processing is necessary for CCBA’s performance, execution or termination of a contract to which the relevant Data Subject is a party, or in order to take steps at the request of the Data Subject before entering into such a contract;
- where the Processing is necessary for compliance with a legal obligation arising under the law to which CCBA is subject;
- where Processing of Personal Information is necessary for the purposes of legitimate interests pursued by CCBA or a third party, unless the interests of the Data Subject are overridden, in the circumstances, by the privacy-related interests or fundamental rights and freedoms of the relevant Data Subject. Legitimate interests could be a lawful basis for Processing, when the Data Subject can reasonably expect at the time and in the context of the collection of his/her Personal Information that Processing for a given purpose may take Examples of purposes of Processing that could be based on the legitimate interests include, but are not limited to: fraud detection, responses to requests of individuals, protection of CCBA’s interests (e.g. to respond to requests from government agencies);
- where the Processing is necessary in order to protect the vital interests of a Data Subject; or
- where the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of a public law duty by a public body.
- Processing operations falling under one of the points set out in section 4.1 above, notably include the following:
- Providing products and services as requested by customers and consumers, including sending of marketing communications to Data Subjects;
- Personalising marketing communications to Data Subjects;
- Allowing Data Subjects to register and participate in promotions, special offers, loyalty programs, prize draws etc.;
- Data analytics to derive trends and improve CCBA products and services;
- Concluding contracts and business transactions;
- Confirming, verifying and updating Data Subject details;
- Managing the CCBA workforce, including providing benefits and entitlements (such as compensation and benefits) to Personnel;
- Complying with employment and labour laws, regulations, and requirements;
- Communicating with Data Subjects including Personnel, business partners, consumers and customers;
- Conducting criminal reference checks and/or conducting credit reference searches or verifications;
- Protecting the rights and freedoms of CCBA, its customers, consumers, business partners, and Personnel;
- For the detection and prevention of fraud, crime, money laundering or other malpractice;
- Processing operations in the context of mergers, acquisitions and other corporate operations;
- Complying with legal requirements;
- Protecting and enhancing the security and safety of CCBA and individuals including customers, consumers, business partners, and Personnel; or
- When the Processing of Personal Information is based on the consent of the Data Subject, CCBA and its Personnel will obtain clear and explicit consent from the Data Subject.
- For consent of minors, the requirements stipulated under section 16 below must be considered in
- CCBA will not process Sensitive Personal Information except where:
- The Data Subject has given his/her explicit consent to the Processing for one or more specified purpose;
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of CCBA or of the Data Subject (i.e. in the field of employment and social security and legislative obligations);
- the Processing is necessary to protect the Data Subject’s “vital interests” and the Data Subject is physically or legally incapable of giving consent;
- Processing relates to Personal Information which is manifestly made public by the Data Subject; or
- Processing is necessary for the establishment, exercise or defence of legal claims or whenever a regulatory body, agency, or judicial authority requires this in its official capacity.
5. INFORMATION OFFICER
- CCBA has a designated information officer (“Information Officer“). The Information Officer can be reached at email@example.com.
- CCBA will register the Information Officer in accordance with Applicable Data Protection Laws.
- CCBA and its Personnel will monitor and document CCBA’s compliance with this Policy and Applicable Data Protection Laws on an ongoing basis. CCBA and its Personnel will maintain and permanently update a data privacy framework to ensure and be able to demonstrate that Personal Information is Processed in accordance with the requirements of this Policy and Applicable Data Protection Laws.
- CCBA and its Personnel are responsible for demonstrating that they have taken appropriate technical and organizational measures to ensure and able to demonstrate that Processing is performed in accordance with this Policy and the requirements of POPIA.
7. INFORMATION OBLIGATIONS
- Where Personal Information is collected from a Data Subject, CCBA shall provide the Data Subject with all of the following information at the time when the Personal Information is obtained:
- Identity and contact details of CCBA and, where applicable, of CCBA’s representative/s;
- Contact details of the Information Officer;
- Purposes of the Processing for which the Personal Information is intended as well as the legal basis for the Processing;
- Where the Processing is based on purposes of legitimate interests pursued by CCBA or by a third party, the legitimate interests pursued by CCBA or by the third party;
- Recipients or categories of Recipients of the Personal Information, if any;
- Where applicable, the fact that CCBA intends to transfer Personal Information to another country or international organisation, and the existence or absence of an adequacy decision by the relevant data protection authority, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
- The existence of the right to request from CCBA access to and rectification or erasure of Personal Information or restriction of Processing concerning the Data Subject or to object to Processing;
- Where the Processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal;
- Right to lodge a complaint with the relevant data protection authority; and
- Whether the provision of Personal Information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Information and of the possible consequences of failure to provide such personal information.
- When CCBA intends to further process Personal Information for a purpose other than that for which the Personal Information was collected, CCBA must obtain consent from the Data Subject prior to that further
- CCBA provides the information in a concise, transparent, intelligible and easily accessible form, using clear and plain The information may be provided in writing or by electronic means, but in any case, without any media interruption.
8. RIGHTS OF THE DATA SUBJECT
- CCBA and its Personnel will ensure that Data Subjects are able to exercise their rights with regard to the data Processing, including:
- Right of access by the Data Subject;
- Right to rectification;
- Right to erasure;
- Right to restriction of Processing;
- Right to object against the Processing; and
- Right to lodge a complaint with the relevant data protection authority.
- CCBA and its Personnel will provide any information and any communication relating to Processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The communication may be provided in writing or by electronic
- CCBA and its Personnel will ensure that information or action taken on a request to the Data Subject will be provided without undue delay and in any event within 1 (one) month of receipt of the When CCBA and its Personnel do not take action on the request of a Data Subject, CCBA and its Personnel will inform the Data Subject without delay and at the latest within 1 (one) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
- CCBA and its Personnel will communicate any rectification or erasure of Personal Information or restriction of Processing to each Recipient to whom the Personal Information has been disclosed, unless this proves impossible or involves disproportionate
9. ACCURACY OF DATA
Reasonable steps will be taken to ensure the Personal Information is accurate and, where necessary, up to date. Furthermore, CCBA will take every reasonable step to ensure that Personal Information that is inaccurate, having regard to the purposes for which it is Processed, is erased or rectified, as applicable.
10. TRANSFERS OF PERSONAL INFORMATION TO FOREIGN COUNTRIES
- CCBA shall ensure that Personal Information will only be transferred to foreign countries in compliance with the provisions of Applicable Data Protection Laws. Personal Information may be shared within CCBA around the world in accordance with Applicable Data Protection Laws and/or under one or more inter-company agreements which safeguard the integrity of the Personal Information and the privacy rights of the Data Subjects concerned.
- CCBA shall ensure that the transfer of Personal Data to foreign countries will be done in compliance with the provisions of Applicable Data Protection Laws, such as through cross-border data transfer agreements.
11. STORAGE AND ERASURE OF PERSONAL INFORMATION
- CCBA will retain Personal Information in a manner consistent with its legal obligations and consistent with its data retention policies and
- CCBA shall ensure that Personal Information is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Information is
- CCBA will securely erase Personal Information without undue delay when:
- the Personal Information is no longer necessary in relation to the purposes for which it was collected or otherwise Processed;
- the Data Subject withdraws consent on which the Processing is based and where there is no other legal ground for the Processing;
- the Data Subject objects to the Processing and there are no overriding legitimate grounds for the Processing; or
- the Personal Information has been unlawfully
- The principles set out under section 3 above will not apply when Processing is necessary for compliance with a legal obligation which requires CCBA to keep Personal Information.
12. DATA PROTECTION BY DESIGN AND BY DEFAULT
- CCBA will seek to build data protection principles, and in particular adherence to this Policy, into the design of all new (and of significant changes to existing) processes and systems involving the Processing of Personal Information.
- CCBA will share Personal Information with selected Operators that deliver products and
- CCBA will only work with Operators on the basis of written Operator agreements that set out the subject- matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Information and categories of Data Subjects and the obligations and rights of CCBA. CCBA and its Personnel will ensure that Operators:
- Process Personal Information only on documented instructions from CCBA;
- Put in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
- Ensure that persons authorized to process the Personal Information have committed themselves to confidentiality or are under an appropriate obligations of confidentiality;
- Assist CCBA by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of CCBA’s obligation to respond to requests for exercising the Data Subject’s rights;
- Assist CCBA in ensuring compliance with legal obligations, in particular, the implementation of technical and organization measures and the notification in case of a Personal Information breach or security incidents;
- Inform CCBA of any inspection, audit, or inquiry made by any supervisory authority with regard to the Personal Information under its control;
- Notify CCBA promptly when it reasonably believes that there has been any unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage of Personal Information (“Data Security Breach“);
- At the election of CCBA, delete or return all Personal Information to CCBA after the end of the provision of services relating to Processing, and that all existing copies are, and
- Make available to CCBA, all information necessary to demonstrate compliance with the legal obligations and allow for and contribute to audits, including inspections, conducted by CCBA or another auditor mandated by
- CCBA will maintain and permanently update a list/record of all
- CCBA and its Personnel will ensure that Operators do not engage other Operators without prior specific or general written authorization of
- CCBA will disclose Personal Information to third parties when at least one of the following applies:
- The Data Subject has given his/her consent;
- Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which CCBA is subject;
- Processing is necessary in order to protect the vital interests of the Data Subject or of another Data Subject;
- Processing is necessary for the performance of a public law duty by a public body;
- Processing is necessary for the purposes of the legitimate interests pursued by CCBA or by a third party; or
- Where required in an emergency where the health or security of CCBA Personnel is endangered (e.g., an accident at work).
15. DIRECT MARKETING
- CCBA and its Personnel will process Personal Information to conduct direct marketing when the Data Subject has provided his/her prior express consent.
- CCBA will not allow the Processing of the Personal Information of a minor where the minor is below the age of 18 (eighteen)
- CCBA and its Personnel will only process Personal Information of a minor if:
- prior consent is obtained from a competent person (parent or legal guardian);
- it is necessary for the establishment, exercise or defence of a right or obligation in law;
- it is necessary to comply with an obligation of international public law.
17. COMPLAINT HANDLING/ENFORCEMENT PROCESS
- CCBA has appointed an Information Officer, who enforces compliance with this
- CCBA and its Personnel are responsible for observing this Policy. Non-compliance with this Policy may result in disciplinary sanctions, dismissal, or any other type of sanction permitted by applicable
- If at any time any person subject to this Policy believes that Personal Information is or have been Processed in violation of this Policy, he/she must report the concern to the CCBA Information Officer by e-mail at firstname.lastname@example.org.
- If any Personnel believes that he/she is not able to comply with this Policy because of legal requirements or instructions given to him/her, he/she should immediately report that information to the Privacy Office. The CCBA Privacy Office, in cooperation with other appropriate Personnel, will take necessary and appropriate steps and provide additional relevant guidance.
18. DATA SECURITY
- CCBA and its Personnel will take appropriate and commercially reasonable technical and organizational measures to protect Personal Information against unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage, and ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural
- CCBA is obliged to implement technical and organizational security measures for Processing of any Personal Information.
- Technical measures are those that directly involve the IT system. Organizational measures, on the other hand, relate to the system’s environment and particularly to the Personnel using
19. DATA PROTECTION, BREACHES AND SECURITY INCIDENTS
- If at any time Personnel become aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information or believes that Personal Information is or has been Processed in violation of this Policy, he/she should immediately report the concern to the CCBA Information Officer by e-mail at email@example.com.
- CCBA will inform affected Data Subjects without undue delay of any such breach of security which is likely to result in a high risk to their privacy, providing them with appropriate information about the breach, including all information required under Applicable Data Protection Laws.
- In the case of a Personal Information breach affecting Data Subjects, CCBA will as soon as reasonably possible after having become aware of it, notify the Personal Information breach to the relevant data protection authority.
20. OBLIGATIONS TOWARDS DATA PROTECTION AUTHORITY
- CCBA and, where applicable, its representatives, will cooperate, on request, with the relevant data protection authority in the performance of its tasks. CCBA commits to cooperate with the relevant data protection authority to address any complaints and comply with the advice or orders given by the relevant data protection authority.
- CCBA will respond diligently and appropriately to inquiries from the relevant data protection authority.
- All inquiries relating to this Policy should be directed to the Privacy Office and the Information Officer: firstname.lastname@example.org.
21. IMPLEMENTATION OF AND MODIFICATIONS TO THIS POLICY
- This Policy will come into effect on 1 July 2021. This Policy will be published on the CCBA CCBA is committed to communicating this Policy to and how it may be accessed by all current and new Personnel. Each CCBA Personnel is obliged to take notice and review this Policy including any amendments of this Policy in future.
- CCBA reserves the right to modify this Policy as needed, for example, to comply with changes in laws, regulations, CCBA practices and procedures, or requirements imposed by relevant data protection authorities. CCBA will post all changes to this Policy on relevant internal