The Coca-Cola Company Global Privacy Policy

The Coca-Cola Company, its affiliates, divisions, business units, controlled subsidiaries and entities in which it either owns a majority interest or manages operations (collectively referred to as “TCCC” or “we”) are committed to protecting and respecting individual privacy.

This Privacy Policy (“Policy”) sets out the minimum basis for TCCC and its Personnel to follow anytime we do anything with Personal Data.

SCOPE

This policy applies to all TCCC Personnel.

CONTENTS

  1. Key Terms and Definitions
  2. Basic Principles of Data Processing
  3. Purpose of Data Processing and Justification Basis
  4. Accountability
  5. Information Obligations
  6. Accuracy of Data
  7. Transfers of Personal Data to Third Countries
  8. Storage and Erasure of Personal Data
  9. Third-Party Processors
  10. Third-Party Recipients
  11. Minors
  12. Complaint Handling/Enforcement Process
  13. Data Security and Confidentiality
  14. Data Breaches and Security Incidents
  15. Relationship between this Policy and Applicable Data Protection Law
  16. Implementation of and Modifications to this Policy
  17. Related Policies, Processes, and Guidelines

  1. Key Terms and Definitions

    • “Applicable Data Protection Laws” means all applicable laws and regulations in relation to data security and privacy.
    • “Code of Business Conduct” means TCCC’s global policy which requires employees, suppliers (including contingent workers), and non-employee directors to conduct themselves in an appropriate manner within and outside the Company to help maintain its reputation, integrity, and standards for ethical conduct;
    • “Individual” means anyone who can be identified, directly or indirectly, by reference to an identifier such as name, identification number, location data, online identifier or to one or more separate or combined factors specific to physical, physiological, genetic, mental, economic, cultural or social identity;
    • “Personal Data” means any information Processed by or on behalf of TCCC that relates to an Individual;
    • “Personal Information” shall have the same meaning as “Personal Data”;
    • “Personnel” means all full-time or part-time employees at every level of the Company, interns, trainees, contingent workers, and any other workers of any kind who perform work or service for or on behalf of TCCC, including Service Providers;
    • “Processing” or “Process” or “Processed” means any operation or set of operations which is/are performed on Personal Data or on sets of Personal Data, whether or not by automated means, including (but not limited to) collection, analysis, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
    • “Sensitive Personal Data” means any Personal Data revealing financial account information (including bank account information), credit card or debit card information, tax identification numbers, government identification numbers, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying an Individual (e.g. fingerprints), data concerning health, data concerning an Individual’s sex life or sexual orientation, and Personal Data relating to criminal convictions and offences;
    • “Service Provider” means any company not a controlled subsidiary or affiliate of TCCC, which processes Personal Data on behalf of, or as directed by TCCC (such as, for example, to provide services or product offerings).
    • “Third-Party Processors” means organizations or companies not a subsidiary or affiliate of TCCC (including Service Providers), which Process Personal Data on behalf of, or as directed by TCCC.

  2. The Basic Principles of Data Processing

    3. At TCCC, we adhere to the following general principles when Processing Personal Data:

    • Principles of lawfulness, fairness and transparency: We Process Personal Data in accordance with applicable legal regulations, in a manner that recognizes Individual interests, and in a manner that is open to the Individual;
    • Principle of purpose limitation: We collect Personal Data for specified, explicit and legitimate purposes and do not Process Personal Data in a manner incompatible with those purposes;
    • Principle of data minimization: We Process Personal Data that is adequate, relevant and limited to what is needed;
    • Principle of accuracy: We take measures to keep Personal Data as accurate as possible;
    • Principle of storage limitation: We maintain Personal Data as set forth in our applicable retention periods or as otherwise required by law;
    • Principle of integrity and confidentiality: We Process Personal Data in a manner that considers appropriate security, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage;

    Any person acting under the authority of TCCC, who has access to Personal Data, will not Process those Personal Data except on instructions from TCCC and in compliance with relevant law.

  3. Purposes and Justification of Data Processing

    4. 3.1 We Process Personal Data for the following purposes:

    • To provide products and services as requested by customers and consumers, including Individual registration and participation in marketing promotions, events, and campaigns;
    • To comply with employment and labor laws, regulations, and requirements;
    • To protect and enhance the security and safety of TCCC and Individuals including customers, consumers, business partners, and Personnel;
    • To send or personalize marketing communications to Individuals;
    • To run data analytics to derive trends and improve products, marketing campaigns, consumer or customer experience, employee engagement and productivity, and consumer, customer and employee services;
    • To communicate with Individuals including Personnel, business partners, consumers and other stakeholders;
    • To safeguard the uninterrupted continuity of business operations;
    • To carry out an intended sale, merger, or acquisition or other corporate transaction;
    • To comply with legal requirements; or
    • For other purposes allowed under Applicable Data Protection Law

    3.2 When the abovementioned Processing activities legally require an Individual’s consent, we will obtain clear and explicit consent from the Individual.

    3.3 We will not Process Sensitive Personal Data, except where:

    • The Individual has given his/her clear and explicit consent to the Processing;
    • Processing is necessary for the purposes of carrying out TCCC’s legal obligations and exercising specific rights of TCCC or of the Individual (i.e., in the areas of employment, social security, and applicable government benefits reporting laws);
    • Processing is necessary to protect the Individual’s legal interests and the Individual is physically or legally incapable of giving consent; and/or
    • Processing is necessary for the establishment, exercise or defense of legal claims or whenever a regulatory body, agency, or judicial authority requires this in its official capacity.

  4. Accountability

    5. 4.1 TCCC and its Personnel will monitor and document TCCC’s compliance with this Policy and Applicable Data Protection Laws on an ongoing basis.

    4.2 TCCC and its Personnel are responsible for demonstrating that they have taken appropriate technical and organizational measures to ensure and able to demonstrate that Processing is performed in accordance with this Policy and any Applicable Data Protection Law.

  5. Information Obligations

    6. 5.1 When we collect Personal Data from an Individual and where required by Applicable Law, we will provide a privacy notice which may, subject to the Applicable Data Protection Law, include the following information:

    • The purpose for TCCC’s Processing of Personal Data;
    • Other recipients of Personal Data (such as Service Providers);
    • Contact information for the Individual to direct questions or request access, rectification, deletion, portability, or restriction of Processing of Personal Data;
    • Where Processing is based on consent, the Individual’s right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal; and

    5.2 In instances where we provide a privacy notice and intend to Process Personal Data for a purpose other than that for which the Personal Data was collected, we shall provide the Individual with notice prior to further Processing. If required by Applicable Data Protection Law, we will also collect consent prior to further Processing.

    5.3 We shall provide the information in a transparent, intelligible and easily accessible form, using clear and plain language, either in writing or by electronic means.

  6. Accuracy of Data

    7. We shall take reasonable steps to maintain the accuracy of the Personal Data and will delete or correct any identified inaccurate Personal Data without undue delay. As part of our principles of data processing and subject to the applicable data retention policy and procedure, we erase Personal Data that is no longer necessary in relation to the purposes for which it has been collected or otherwise Processed.

  7. Transfers of Personal Data to Third Countries

    8. We shall ensure that the transfer of Personal Data to third countries will be done in compliance with the provisions of Applicable Data Protection Laws, such as through cross-border data transfer agreements.

  8. Storage and Erasure of Personal Data

    9. 8.1 TCCC will retain Personal Data in a manner consistent with its legal obligations and consistent with its data retention policies and procedures.

    8.2 Notwithstanding TCCC exception processes, any Sensitive Personal Data shall be encrypted at rest and in motion using TCCC-approved encryption methods.

    8.3 The TCCC Chief Privacy Officer must be consulted in case of any conflict between applicable retention schedules for Personal Data and Applicable Data Protection Law.

  9. Third-Party Processors

    10. 9.1 We only work with Third-Party Processors that provide sufficient guarantees to implement appropriate technical and organizational measures that allow TCCC to meet its legal obligations under Applicable Data Protection Law. We conduct appropriate data security due diligence on potential Third- Party Processors and monitor for compliance with Applicable Data Protection Law and this Policy through contractual assurances, questionnaires, audits, or other due diligence measures. Where we have knowledge that a Processor is using, disclosing or otherwise Processing Personal Data in a manner contrary to these assurances, we will take reasonable steps to prevent or stop the use, disclosure or other Processing.

    9.3 We will only work with Third-Party Processors through a written contract that sets out:

    • Confidentiality requirements on part of the Third-Party Processor;
    • Third-Party Processor’s obligation to notify TCCC in the event of a data breach and to provide subsequent cooperation in reporting and remediation;
    • Third-Party Processor’s technical and organizational measures to ensure appropriate security to Process Personal Data;
    • Reason for and duration of Processing, type(s) of Personal Data Processed, types of individuals/data subjects (e.g., employees, consumers, etc.), and TCCC’s obligations and rights;
    • Processor’s willingness to assist TCCC in complying with its legal obligations, including assistance with applicable data subject rights, notifying TCCC when the Processor reasonably believes that there has been any unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage to Personal Data, and informing TCCC of any inspection, audit, or inquiry made by a data protection authority or regulatory body tasked with data protection enforcement.

  10. Third Party Recipients

    11. We will disclose Personal Data to third parties only in compliance with Applicable Data Protection Law.

  11. Minors

    12. Per its guidelines, TCCC will not target minors under the age of 12 with its marketing activities. Where the collection and Processing of Personal Information from minors requires consent (per the Applicable Data Protection Law), TCCC will take reasonable steps to ensure that parental consent is first obtained for any submission of Personal Information for minors under the age (per the applicable laws of a country) required for granting valid consent to the Processing of PI. Where stricter measures are required under applicable law, TCCC will comply with these stricter requirements.

  12. Complaint Handling/Enforcement Process

    13. 12.1 Non-compliance with this Policy is considered a violation of the TCCC Code of Business Conduct and may result in disciplinary actions, dismissal, or any other type of sanction permitted by applicable law.

    12.2 If at any time any person subject to this Policy believes that Personal Data are or have been Processed in violation of this Policy, he or she may report the concern to the TCCC Chief Privacy Officer by e-mail at privacy@coca-cola.com; the local TCCC Legal office and/or the local Data Protection Officer in their respective Business Unit; the local Human Resources office; or the Ethics & Compliance Office at compliance@coca-cola.com.

    12.3 If any Personnel believes that he or she is not able to comply with this Policy because of legal requirements or instructions given to him or her, he or she should immediately report that information to the Privacy Office, the Ethics & Compliance Office, or to their Local Ethics Officer (“LEO”). The TCCC Privacy Office, in cooperation with other appropriate Personnel, will take necessary and appropriate steps and provide additional relevant guidance.

  13. Data Security & Confidentiality

    14. 13.1 TCCC and its Personnel will take appropriate and commercially reasonable technical and organizational measures to protect Personal Data against unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage. Technical measures are those that directly involve TCCC’s IT system. Organizational measures relate to the system’s environment and particularly to the Personnel who may come into contact with Personal Data.

    13.2 Personnel who need access Personal Data are required to be bound by contract, TCCC Code of Business Conduct, Applicable Data Protection Laws, and/or relevant policies that protect the confidentiality of an Individual’s Personal Data.

  14. Data Protection Breaches and Security Incidents

    15. 14.1 If at any time Personnel becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data or believes that Personal Data is or has been Processed in violation of this Policy, s/he should immediately report the concern to KO-CIRT@coca-cola.com.

    14.2 TCCC will inform affected Individuals without undue delay of any breach of security of their Personal Data where legally required and shall provide all necessary information required by Applicable Data Protection Laws.

  15. Relationship between this Policy, Regional Policies and Applicable Data Protection Law

    16. We recognize that certain laws may impose requirements stricter than those described in this Policy. We will handle Personal Data in accordance with Applicable Data Protection Law. Where Applicable Data Protection Law provides a lower level of protection of Personal Data than established by this Policy, then the requirements of this Policy shall apply. Similarly, where a regional TCCC policy establishes the minimum criteria for Processing of Personal Data, that regional TCCC policy shall take precedence over this Policy.

  16. Implementation of and Modifications to this Policy

    17. 16.1 This Policy was enacted January 2007 and last amended February 2017. This amended Policy is effective as of March 8, 2019. This Policy will be available on the TCCC Intranet. Each TCCC Personnel is obliged to take notice and review the Policy, including any amendments.

    16.2 TCCC reserves the right to modify this Policy as needed, for example, to comply with changes in laws, regulations, TCCC practices and procedures, or requirements imposed by data protection authorities. TCCC will post all changes to this Policy on relevant internal websites.

  17. Related Policies, Processes, and Guidelines

    • Information Protection Policy
    • Data Classification Guide
    • E.U. Privacy Policy
    • Privacy FAQ
© The Coca-Cola Company Reset Password Privacy