CCBA for the purposes of carrying out its business and related objectives, does and will from time to time, process the Personal Information of living individuals and legal entities, including public and private entities, such as Personal Information relating to employees and staff, prospective employees and job applicants, students and interns, service providers and contractors, vendors, customers, and other third parties. CCBA is obligated to comply with Applicable Data Protection Laws and the data protection conditions set out therein with respect to the processing of all and any Personal Information. This Policy describes how CCBA will discharge its duties to ensure continuing compliance with Applicable Data Protection Laws in general and the information protection conditions and rights of Data Subjects.
Key Terms & Definitions
When used in this Policy,
- "Applicable Data Protection Laws" means all applicable laws and regulations in relation to data protection, privacy and/or the recording, monitoring or interception of communication
- "CCBA" means Coca-Cola Beverages Africa (Pty) Ltd, its affiliates, controlled subsidiaries and entities in which it either owns a majority interest or manages operations, which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information
- "Controlling CCBA Company" means Coca-Cola Beverages Africa (Pty) Ltd
- "Data Subject/s" means any living natural person or existing juristic person who can be identified, directly or indirectly, via an identifier such as a name, ID number, registration number, email address, location data etc.
- "Information Officer" or "Data Protection Officer" has the meaning as set out in section 5.1 of this Policy
- "Personal Information" has the meaning as defined in Applicable Data Protection Laws
- "Personnel" means any and all employees, interns, trainees and other employees of any kind who work for CCBA
- "Processing" has the meaning as defined in Applicable Data Protection Law
- "Process" and "Processed" shall have corresponding meanings
- "Operator/s" or "Processor/s" has the meaning as defined in Applicable Data Protection Laws
- "Recipient/s" is any natural or legal person, public authority, agency or another body, to which Personal Information is disclosed, whether a third party or not
- "Responsible Party" or “Controller” means the party that determines the purpose of and means for processing Personal Information
- "Special Personal Information" or "Sensitive Personal Information" has the meaning as defined in Applicable Data Protection Laws
- "third party" means a natural or legal person, public authority, agency or body other than the Data Subject, and other than the Controlling CCBA Company, Operator / Processor and other persons who, under the direct authority of the Controlling CCBA Company or an Operator / Processor, are authorized to process Personal Information
Basic Principles Of Data Processing
CCBA, its Personnel and its Operators / Processors respect the privacy rights and interests of each Data Subject and adhere to the following data protection conditions when Processing Personal Information:
- Accountability: The Responsible Party must ensure compliance with POPIA. A data protection policy must be established. An internal information officer to champion compliance with POPIA must be appointed.
- Processing limitation: The collection of Personal Information must: Not be excessive, Be legally justifiable, Not be collected from third parties without good reason, The Responsible Party must develop procedures / policies to ensure that Personal Information is processed in a “reasonable manner”
- Purpose specification: Personal Information must only be collected in connection with a specific purpose related to the function or activity of the Responsible Party collecting the information. Personal information must not be stored for longer than necessary.
- Restriction on further processing: Once Personal Information has been collected and lawful processing has occurred, the Responsible Party may only further process that data in limited circumstances. These limited circumstances are determined based on whether the purpose of the further processing is “compatible” with the previously defined purpose.
- Information quality: The Responsible Party must ensure that any Personal Information in its possession is complete, accurate, not misleading and updated when necessary. In maintaining information quality, the Responsible Party must consider the purpose for which the Personal Information is collected or further processed.
- Openness: The Responsible Party must take reasonably practicable steps to ensure that Data Subject are aware that their Personal Information is being processed and the reason for such processing.
- Security Safeguards: The Responsible Party must secure the integrity and confidentiality of any Personal Information in its possession or under its control by taking appropriate and reasonable technical and organizational measures to prevent loss, damage, unauthorized destruction of, and unlawful access to the Personal Information in its possession.
- Data Subject Participation: Data Subjects must be allowed access to their personal information and to request that Personal Information is corrected, updated or deleted if inaccurate.
Any Personnel acting under the authority of CCBA, who has access to Personal Information, will not process Personal Information except on instructions from CCBA. Access to internal CCBA systems that contain Personal Information is limited to a select group of authorized CCBA Personnel who have a business need to access particular Personal Information. Personnel are given access to such systems through the use of a unique identifier and password and other access control mechanisms.
Personnel who require permanent or regular access to Personal Information are bound by non-disclosure and confidentiality agreements, instructions and policies intended to protect the confidentiality of Personal Information.
Appropriate training will be provided to Personnel who have permanent or regular access to Personal Information or who are involved in the Processing of Personal Information.
Purpose Of Data Processing And Justification Basis
CCBA will Process Personal Information only in the following limited circumstances:
- Where the Data Subject, or a competent person where the Data Subject is a child, consents to the Processing;
- where the Processing is necessary for CCBA’s performance, execution or termination of a contract to which the relevant Data Subject is a party, or in order to take steps at the request of the Data Subject before entering into such a contract;
- where the Processing is necessary for compliance with a legal obligation arising under the law to which CCBA is subject;
- where Processing of Personal Information is necessary for the purposes of legitimate interests pursued by CCBA or a third party, unless the interests of the Data Subject are overridden, in the circumstances, by the privacy-related interests or fundamental rights and freedoms of the relevant Data Subject. Legitimate interests could be a lawful basis for Processing, when the Data Subject can reasonably expect at the time and in the context of the collection of his/her Personal Information that Processing for a given purpose may take place. Examples of purposes of Processing that could be based on the legitimate interests include, but are not limited to: fraud detection, responses to requests of individuals, protection of CCBA's interests (e.g. to respond to requests from government agencies);
- where the Processing is necessary in order to protect the vital interests of a Data Subject; or
- where the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of a public law duty by a public body.
Processing operations falling under one of the points set out in section 4.1 above, notably include the following, and CCBA will use the Personal Information it collected about a Data Subject for the following purposes:
- Providing products and services as requested by customers and consumers, including sending of marketing communications to Data Subjects;
- Personalising marketing communications to Data Subjects;
- Allowing Data Subjects to register and participate in promotions, special offers, loyalty programs, prize draws etc.;
- Data analytics to derive trends and improve CCBA products and services;
- Concluding contracts and business transactions;
- Confirming, verifying and updating Data Subject details;
- Managing the CCBA workforce, including providing benefits and entitlements (such as compensation and benefits) to Personnel;
- Complying with employment and labour laws, regulations, and requirements;
- Communicating with Data Subjects including Personnel, business partners, consumers and customers;
- Conducting criminal reference checks and/or conducting credit reference searches or verifications;
- Protecting the rights and freedoms of CCBA, its customers, consumers, business partners, and Personnel;
- For the detection and prevention of fraud, crime, money laundering or other malpractice;
- Processing operations in the context of mergers, acquisitions and other corporate operations;
- Complying with legal requirements;
- Protecting and enhancing the security and safety of CCBA and individuals including customers, consumers, business partners, and Personnel; or
When the Processing of Personal Information is based on the consent of the Data Subject, CCBA and its Personnel will obtain clear and explicit consent from the Data Subject.
For consent of minors, the requirements stipulated under section 16 below must be considered in addition.
CCBA will not process Special or Sensitive Personal Information except where:
- The Data Subject has given his/her explicit consent to the Processing for one or more specified purpose;
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of CCBA or of the Data Subject (i.e. in the field of employment and social security and legislative obligations);
- the Processing is necessary to protect the Data Subject's "vital interests" and the Data Subject is physically or legally incapable of giving consent;
- Processing relates to Personal Information which is manifestly made public by the Data Subject; or
- Processing is necessary for the establishment, exercise or defence of legal claims or whenever a regulatory body, agency, or judicial authority requires this in its official capacity.
CCBA will collect and process the following types of Personal Information:
- Browser and device information: IP address, MAC address, Google Ad ID, Identity For Advertisers (device ID);
- Server log file information; and
- Activity / Engagement Personal Information (e.g. data and time of activity on relevant websites, number of times a website is visited, which items are clicked).
CCBA collects and processes Personal Information in the following ways:
- Through the website: We collect Personal Data through the website;
- Offline: We collect Personal Information offline, such as when a Data Subject contacts customer service; and
Information Officer / Data Protection Officer
CCBA has a designated information officer / data protection officer (“Information Officer / Data Protection Officer”). The Information Officer / Data Protection Officer can be reached at firstname.lastname@example.org.
CCBA has registered the Information Officer / Data Protection Officer in accordance with Applicable Data Protection Laws.
CCBA and its Personnel will monitor and document CCBA's compliance with this Policy and Applicable Data Protection Laws on an ongoing basis. CCBA and its Personnel will maintain and permanently update a data privacy framework to ensure and be able to demonstrate that Personal Information is Processed in accordance with the requirements of this Policy and Applicable Data Protection Laws.
CCBA and its Personnel are responsible for demonstrating that they have taken appropriate technical and organizational measures to ensure and able to demonstrate that Processing is performed in accordance with this Policy and the requirements of POPIA.
Where Personal Information is collected from a Data Subject, CCBA shall provide the Data Subject with all of the following information at the time when the Personal Information is obtained:
- Identity and contact details of CCBA and, where applicable, of CCBA's representative/s;
- Contact details of the Information Officer / Data Protection Officer;
- Purposes of the Processing for which the Personal Information is intended as well as the legal basis for the Processing;
- Where the Processing is based on purposes of legitimate interests pursued by CCBA or by a third party, the legitimate interests pursued by CCBA or by the third party;
- Where applicable, the fact that CCBA intends to transfer Personal Information to another country or international organisation, and the existence or absence of an adequacy decision by the relevant data protection authority, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
- Any third parties that Personal Information is collected from;
- Right to lodge a complaint with the relevant data protection authority; and
- Whether the provision of Personal Information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Information and of the possible consequences of failure to provide such personal information.
When CCBA intends to further process Personal Information for a purpose other than that for which the Personal Information was collected, CCBA will and shall obtain consent from the Data Subject prior to that further Processing.
CCBA provides the information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information may be provided in writing or by electronic means, but in any case, without any media interruption.p>
Rights Of The Data Subject
CCBA and its Personnel will ensure that Data Subjects are able to exercise their rights with regard to the data Processing, including:
- Right to be informed;
- Right of access by the Data Subject;
- Right to rectification;
- Right to erasure;
- Right to restriction of Processing;
- Right to data portability;
- Right to object against the Processing; and
- Right to lodge a complaint with the relevant data protection authority.
CCBA and its Personnel will provide any information and any communication relating to Processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The communication may be provided in writing or by electronic means.
CCBA and its Personnel will ensure that information or action taken on a request to the Data Subject will be provided without undue delay and in any event within 1 (one) month of receipt of the request. When CCBA and its Personnel do not take action on the request of a Data Subject, CCBA and its Personnel will inform the Data Subject without delay and at the latest within 1 (one) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
CCBA and its Personnel will communicate any rectification or erasure of Personal Information or restriction of Processing to each Recipient to whom the Personal Information has been disclosed, unless this proves impossible or involves disproportionate effort.
Accuracy Of Data
Reasonable steps will be taken to ensure the Personal Information is accurate and, where necessary, up to date. Furthermore, CCBA will take every reasonable step to ensure that Personal Information that is inaccurate, having regard to the purposes for which it is Processed, is erased or rectified, as applicable.
Transfer Of Personal Information Internationally
CCBA shall ensure that Personal Information will only be transferred internationally in compliance with the provisions of Applicable Data Protection Laws. Personal Information may be shared within CCBA around the world in accordance with Applicable Data Protection Laws and/or under one or more inter-company agreements which safeguard the integrity of the Personal Information and the privacy rights of the Data Subjects concerned.
CCBA shall ensure that the transfer of Personal Data internationally will be done in compliance with the provisions of Applicable Data Protection Laws, such as through cross-border data transfer agreements.
Storage And Erasure Of Personal Information
CCBA will retain Personal Information in a manner consistent with its legal obligations and consistent with its data retention policies and procedures.
CCBA shall ensure that Personal Information is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Information is Processed.
CCBA will securely erase Personal Information without undue delay when:
- the Personal Information is no longer necessary in relation to the purposes for which it was collected or otherwise Processed;
- the Data Subject withdraws consent on which the Processing is based and where there is no other legal ground for the Processing;
- the Data Subject objects to the Processing and there are no overriding legitimate grounds for the Processing; or
- the Personal Information has been unlawfully Processed.
The principles set out under section 11.3 above will not apply when Processing is necessary for compliance with a legal obligation which requires CCBA to keep Personal Information.
Data Protection By Design And By Default
CCBA will seek to build data protection principles, and in particular adherence to this Policy, into the design of all new (and of significant changes to existing) processes and systems involving the Processing of Personal Information.
Operators / Processors And Sharing Of Personal Information
CCBA will share Personal Information with selected Operators / Processors that deliver products and services.
CCBA will only work with Operators / Processors on the basis of written Operator agreements that set out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Information and categories of Data Subjects and the obligations and rights of CCBA. CCBA and its Personnel will ensure that Operators / Processors:
- Process Personal Information only on documented instructions from CCBA;
- Put in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
- Ensure that persons authorized to process the Personal Information have committed themselves to confidentiality or are under an appropriate obligation of confidentiality;
- Assist CCBA by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of CCBA's obligation to respond to requests for exercising the Data Subject’s rights;
- Assist CCBA in ensuring compliance with legal obligations, in particular, the implementation of technical and organization measures and the notification in case of a Personal Information breach or security incidents;
- Inform CCBA of any inspection, audit, or inquiry made by any supervisory authority with regard to the Personal Information under its control;
- Notify CCBA promptly when it reasonably believes that there has been any unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage of Personal Information ("Data Security Breach");
- At the election of CCBA, delete or return all Personal Information to CCBA after the end of the provision of services relating to Processing, and that all existing copies are, and
- Make available to CCBA, all information necessary to demonstrate compliance with the legal obligations and allow for and contribute to audits, including inspections, conducted by CCBA or another auditor mandated by CCBA.
CCBA will maintain and permanently update a list/record of all Operators / Processors.
CCBA and its Personnel will ensure that Operators / Processors do not engage other Operators / Processors without prior specific or general written authorization of CCBA.
CCBA will disclose Personal Information to third parties when at least one of the following applies:
- The Data Subject has given his/her consent;
- Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which CCBA is subject;
- Processing is necessary in order to protect the vital interests of the Data Subject or of another Data Subject;
- Processing is necessary for the performance of a public law duty by a public body;
- Processing is necessary for the purposes of the legitimate interests pursued by CCBA or by a third party; or
- Where required in an emergency where the health or security of CCBA Personnel is endangered (e.g., an accident at work).
CCBA and its Personnel will process Personal Information to conduct direct marketing when the Data Subject has provided his/her prior express consent and / or as otherwise authorized by Applicable Data Protection Laws.
CCBA will not allow the Processing of the Personal Information of a minor where the minor is below the age of 18 (eighteen) years.
CCBA and its Personnel will only process Personal Information of a minor if:
- prior consent is obtained from a competent person (parent or legal guardian);
- it is necessary for the establishment, exercise or defence of a right or obligation in law;
- it is necessary to comply with an obligation of international public law.
Complaint Handling / Enforcement Process
CCBA has appointed an Information Officer / Data Protection Officer, who enforces compliance with this Policy.
CCBA and its Personnel are responsible for observing this Policy. Non-compliance with this Policy may result in disciplinary sanctions, dismissal, or any other type of sanction permitted by applicable law.
If at any time any person subject to this Policy believes that Personal Information is or have been Processed in violation of this Policy, he/she must report the concern to the CCBA Information Officer / Data Protection Officer by e-mail at email@example.com.
If any Personnel believes that he/she is not able to comply with this Policy because of legal requirements or instructions given to him/her, he/she should immediately report that information to the Privacy Office. The CCBA Privacy Office, in cooperation with other appropriate Personnel, will take necessary and appropriate steps and provide additional relevant guidance.
CCBA and its Personnel will take appropriate and commercially reasonable technical and organizational measures to protect Personal Information against unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage, and ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
CCBA is obliged to implement technical and organizational security measures for Processing of any Personal Information.
Technical measures are those that directly involve the IT system. Organizational measures, on the other hand, relate to the system's environment and particularly to the Personnel using it.
Data Protection, Breaches And Security Incidents
If at any time Personnel become aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information or believes that Personal Information is or has been Processed in violation of this Policy, he/she should immediately report the concern to the CCBA Information Officer / Data Protection Officer by e-mail at firstname.lastname@example.org.
CCBA will inform affected Data Subjects without undue delay of any such breach of security which is likely to result in a high risk to their privacy, providing them with appropriate information about the breach, including all information required under Applicable Data Protection Laws.
In the case of a Personal Information breach affecting Data Subjects, CCBA will without undue delay after having become aware of it, notify the Personal Information breach to the relevant data protection authority.
Obligations Towards Data Protection Authority
CCBA and, where applicable, its representatives, will cooperate, on request, with the relevant data protection authority in the performance of its tasks. CCBA commits to cooperate with the relevant data protection authority to address any complaints and comply with the advice or orders given by the relevant data protection authority.
CCBA will respond diligently and appropriately to inquiries from the relevant data protection authority.
All inquiries relating to this Policy should be directed to the Privacy Office and the Information Officer / Data Protection Officer: email@example.com.
Implementation Of And Modifications To This Policy
This Policy will come into effect on 1 July 2021. This Policy will be published on the CCBA website. CCBA is committed to communicating this Policy to and how it may be accessed by all current and new Personnel. Each CCBA Personnel is obliged to take notice and review this Policy including any amendments of this Policy in future.
CCBA reserves the right to modify this Policy as needed, for example, to comply with changes in laws, regulations, CCBA practices and procedures, or requirements imposed by relevant data protection authorities. CCBA will post all changes to this Policy on relevant websites.