The Coca-Cola Company, its affiliates, divisions, business units, controlled subsidiaries and entities in which it either owns a majority interest or manages operations (collectively referred to as “TCCC” or “we”) are committed to protecting and respecting individual privacy.
This policy applies to all TCCC Personnel.
At TCCC, we adhere to the following general principles when Processing Personal Data:
Any person acting under the authority of TCCC, who has access to Personal Data, will not Process those Personal Data except on instructions from TCCC and in compliance with relevant law.
3.1 We Process Personal Data for the following purposes:
3.2 When the abovementioned Processing activities legally require an Individual’s consent, we will obtain clear and explicit consent from the Individual.
3.3 We will not Process Sensitive Personal Data, except where:
4.1 TCCC and its Personnel will monitor and document TCCC’s compliance with this Policy and Applicable Data Protection Laws on an ongoing basis.
4.2 TCCC and its Personnel are responsible for demonstrating that they have taken appropriate technical and organizational measures to ensure and able to demonstrate that Processing is performed in accordance with this Policy and any Applicable Data Protection Law.
5.1 When we collect Personal Data from an Individual and where required by Applicable Law, we will provide a privacy notice which may, subject to the Applicable Data Protection Law, include the following information:
5.2 In instances where we provide a privacy notice and intend to Process Personal Data for a purpose other than that for which the Personal Data was collected, we shall provide the Individual with notice prior to further Processing. If required by Applicable Data Protection Law, we will also collect consent prior to further Processing.
5.3 We shall provide the information in a transparent, intelligible and easily accessible form, using clear and plain language, either in writing or by electronic means.
We shall take reasonable steps to maintain the accuracy of the Personal Data and will delete or correct any identified inaccurate Personal Data without undue delay. As part of our principles of data processing and subject to the applicable data retention policy and procedure, we erase Personal Data that is no longer necessary in relation to the purposes for which it has been collected or otherwise Processed.
We shall ensure that the transfer of Personal Data to third countries will be done in compliance with the provisions of Applicable Data Protection Laws, such as through cross-border data transfer agreements.
8.1 TCCC will retain Personal Data in a manner consistent with its legal obligations and consistent with its data retention policies and procedures.
8.2 Notwithstanding TCCC exception processes, any Sensitive Personal Data shall be encrypted at rest and in motion using TCCC-approved encryption methods.
8.3 The TCCC Chief Privacy Officer must be consulted in case of any conflict between applicable retention schedules for Personal Data and Applicable Data Protection Law.
9.1 We only work with Third-Party Processors that provide sufficient guarantees to implement appropriate technical and organizational measures that allow TCCC to meet its legal obligations under Applicable Data Protection Law. We conduct appropriate data security due diligence on potential Third- Party Processors and monitor for compliance with Applicable Data Protection Law and this Policy through contractual assurances, questionnaires, audits, or other due diligence measures. Where we have knowledge that a Processor is using, disclosing or otherwise Processing Personal Data in a manner contrary to these assurances, we will take reasonable steps to prevent or stop the use, disclosure or other Processing.
9.3 We will only work with Third-Party Processors through a written contract that sets out:
We will disclose Personal Data to third parties only in compliance with Applicable Data Protection Law.
Per its guidelines, TCCC will not target minors under the age of 12 with its marketing activities. Where the collection and Processing of Personal Information from minors requires consent (per the Applicable Data Protection Law), TCCC will take reasonable steps to ensure that parental consent is first obtained for any submission of Personal Information for minors under the age (per the applicable laws of a country) required for granting valid consent to the Processing of PI. Where stricter measures are required under applicable law, TCCC will comply with these stricter requirements.
12.1 Non-compliance with this Policy is considered a violation of the TCCC Code of Business Conduct and may result in disciplinary actions, dismissal, or any other type of sanction permitted by applicable law.
12.2 If at any time any person subject to this Policy believes that Personal Data are or have been Processed in violation of this Policy, he or she may report the concern to the TCCC Chief Privacy Officer by e-mail at email@example.com; the local TCCC Legal office and/or the local Data Protection Officer in their respective Business Unit; the local Human Resources office; or the Ethics & Compliance Office at firstname.lastname@example.org.
12.3 If any Personnel believes that he or she is not able to comply with this Policy because of legal requirements or instructions given to him or her, he or she should immediately report that information to the Privacy Office, the Ethics & Compliance Office, or to their Local Ethics Officer (“LEO”). The TCCC Privacy Office, in cooperation with other appropriate Personnel, will take necessary and appropriate steps and provide additional relevant guidance.
13.1 TCCC and its Personnel will take appropriate and commercially reasonable technical and organizational measures to protect Personal Data against unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage. Technical measures are those that directly involve TCCC’s IT system. Organizational measures relate to the system’s environment and particularly to the Personnel who may come into contact with Personal Data.
13.2 Personnel who need access Personal Data are required to be bound by contract, TCCC Code of Business Conduct, Applicable Data Protection Laws, and/or relevant policies that protect the confidentiality of an Individual’s Personal Data.
14.1 If at any time Personnel becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data or believes that Personal Data is or has been Processed in violation of this Policy, s/he should immediately report the concern to KO-CIRT@coca-cola.com.
14.2 TCCC will inform affected Individuals without undue delay of any breach of security of their Personal Data where legally required and shall provide all necessary information required by Applicable Data Protection Laws.
We recognize that certain laws may impose requirements stricter than those described in this Policy. We will handle Personal Data in accordance with Applicable Data Protection Law. Where Applicable Data Protection Law provides a lower level of protection of Personal Data than established by this Policy, then the requirements of this Policy shall apply. Similarly, where a regional TCCC policy establishes the minimum criteria for Processing of Personal Data, that regional TCCC policy shall take precedence over this Policy.
16.1 This Policy was enacted January 2007 and last amended February 2017. This amended Policy is effective as of March 8, 2019. This Policy will be available on the TCCC Intranet. Each TCCC Personnel is obliged to take notice and review the Policy, including any amendments.
16.2 TCCC reserves the right to modify this Policy as needed, for example, to comply with changes in laws, regulations, TCCC practices and procedures, or requirements imposed by data protection authorities. TCCC will post all changes to this Policy on relevant internal websites.