Information on the processing of personal data of Customers and Potential Customers
Coca-Cola HBC Italia S.r.l., in its capacity as data controller (the "Data Controller"), wishes to inform you that the personal data of the data subject (in the event that it is a natural person or a sole proprietorship), of its partners, employees or appointees (hereinafter the "Data Subjects") communicated for the performance of new customer acquisition activities (so-called prospecting), promotion of its services and/or products, as well as activities in the execution of services of a contractual nature, by way of example but not limited to, commercial and supply of the product and services (hereinafter, the "Activity") between the Data Controller and the other party (hereinafter, as the case may be, the "Potential Customer" or the "Customer"") and in the course of carrying out the same, as well as related activities, will be processed in accordance with this information on the processing of personal data. The processing of personal data will be carried out in full compliance with the principles of correctness, lawfulness and transparency, as well as the rights and confidentiality of the Customer.
1. Personal data controller
The data controller is Coca-Cola HBC Italia S.r.l., with registered office in Piazza Indro Montanelli, 30, 20099 Sesto San Giovanni (Milan)
The Data Controller has made the appointments as data processors where necessary in accordance with the current regulatory framework. The complete list of data processors is available upon written request sent to the e-mail address below.
The Data Controller has appointed a data protection officer pursuant to Article 37 of the General Data Processing Regulation 679/2016/EU (hereinafter the "Privacy Regulation") who can be contacted at the following email address: DataProtectionOffice@cchellenic.com
2. Personal data collected
The Data Controller collects and processes the following personal data of the Data Subjects (hereinafter, jointly, the "Data"):
1. identification and contact data of the Potential Customer and/or the Customer (such as, for example, name or company name, headquarters, address, telephone number, fax number, e-mail number, VAT number, tax code, name of the Customer's or Potential Customer's contact persons, etc.);
2. economic and financial data referring to the Customer (such as, for example, data on financial solvency, bank details - Iban, information relating to payment, etc.), commercial invoices issued for the supply of goods and services and related payments (so-called accounting movements), as well as information on satisfaction ratings and related to the questionnaires sent, as well as information related to customer service;
3. data on the geographical coordinates of the Customer's business, enriched with aggregate information of a purely demographic and commercial nature, deriving from open sources or from third-party or Data Controller processing; and
4. data on the geographical location of the refrigerated display case, if provided on loan for use by the Data Controller to the Customer if installed at the Customer's commercial establishment.
The Data are provided directly by the Data Subjects or are collected from independent third party data controllers, including commercial information companies, or obtained from registers, lists or public databases for the processing purposes referred to below.
3. Purpose of the processing
The Data are processed for the following purposes:
1. to allow (i) the execution of the contract with the Customer and the fulfilment of contractual and pre-contractual obligations, as well as certain activities requested by the Customer, deriving from the relationship to which the Customer is a party; (ii) customer support services; (iii) the administrative management of the Customer, including the management of master data, management of orders, contracts and invoices and the keeping of the related accounts, management of credits; (iv) to allow the Customer to be contacted, through telephone communications, with an operator for the execution and fulfilment of contractual and pre-contractual services; (ii) organise visits to the Customer's registered office and/or business on a periodic basis for the promotion of the Data Controller's products and/or services; . ("Contractual Purposes");
2. to allow the sharing of the identification data referred to in paragraph 2.1 above relating to the Customer in favour of third-party companies operating in the food delivery sector in order to optimise the Owner's product offer by the Customer on food delivery apps and platforms subject to free consent, specific, informed and unequivocal of the Customer. The Data Subjects may, at any time and free of charge, revoke their consent to the processing of their Data, without this in any way affecting the lawfulness of the processing based on the consent given before the revocation ("Consent for the optimization of the product offer on third-party online platforms");
3. allow to: (i) visit the Potential Customer and, following an expression of interest by the same in the services and products of the Data Controller, conduct prospecting activities; (ii) carry out internal statistical analyses and market surveys; (iii) communicate the data referred to in paragraph 2.3 above relating to the geographical location of the Customer's business in which the display fridge supplied by the Data Controller is installed to managers of external consumer analysis platforms (such as, for example, DoveConviene S.r.l.) and their customers in order to allow the promotion to consumers of certain products marketed through the Customer's business, where those consumers are in the vicinity of that shop, the collection of information from those consumers about the type of customers who frequent the shop and the related analysis, and thus the optimisation of the product offer through the same and the increase in sales; (iv) to improve products and services in the light of satisfaction ratings and positive or negative considerations expressed through the questionnaires; (v) improve the positioning of products in vending machines (and other systems) and any better efficiency ("Purposes of Legitimate Marketing Interest");
4. allow: (i) the sharing of the identification data referred to in paragraph 2.1 relating to the Customer in favour of third-party companies connected to the Data Controller and part of the Hellenic Group whose products are marketed through the Data Controller's commercial network in order to allow the supply of said products to the Customer (administrative activities and logistics management); (ii) the protection, management and recovery of receivables in an extrajudicial, quasi-judicial and judicial manner, also consisting of portfolio analysis and estimation of the recoverability of guarantees; (iii) the analysis of the company's credit performance as a whole, at the level of individual customers or homogeneous groups; (iv) the assessment of the Customers' debt behaviour, through the verification of accounting information; (v) the performance of activities functional to the sale of business and business units, acquisitions, mergers, demergers or other transformations and for the execution of such transactions; (vi) manage customer relations by offering an efficient customer care service; (vii) the inclusion of the Customer in clusters of customers with similar indices and characteristics, in order to better direct the activities related to the execution of the existing contract, by cross-referencing the geographical coordinates of the point of sale with aggregate information of a purely demographic and commercial nature ("Purposes of Legitimate Business Interest").
5. for the management of litigation and for the exercise of the rights and legitimate interests of the Data Controller towards the customer and/or third parties, for example the right of defence in court, the management of complaints and litigation, the prevention of fraud and/or illegal activities. ("Legitimate general interest of the Data Controller");
6. to comply with any legal and regulatory obligations ("Legal Purposes").
4. Nature of the provision of Data and legal basis of the processing
The provision of Data and the related processing are mandatory for: (i) the Contractual Purposes as necessary for the execution of the Activities with the Customer and (ii) the Legal Purposes as required by laws, regulations and EU legislation. In the event that the Customer does not want their Data to be processed for these purposes, it will not be possible for the Data Controller to enter into a contractual relationship with them and follow up on the Customer's requests in terms of the execution of certain activities.
The provision of data for point 3.2 is optional and the lack of consent for such specific and autonomous processing does not affect the relationship between the Parties. Failing this, however, optimizations regarding the offer of products on the platforms of food delivery companies will not be guaranteed.
The processing for the purposes of Legitimate General Interest is functional to the management of litigation and the exercise of the rights and legitimate interests of the Data Controller towards the Customer and/or third parties.
The processing for the Purposes of Legitimate Marketing Interest is functional to the pursuit of a legitimate interest of the Data Controller adequately balanced with the interests of Potential Customers and Customers in light of the limits imposed on such processing illustrated in the previous paragraph. In particular, the Purpose of Legitimate Marketing Interest referred to in paragraph 3.3 above, point (iii) responds to the interest of the Data Controller and the customers of the operators of external consumer analysis platforms mentioned above to optimize the marketing of their products so that it is in line with the type of customer of the Customer and responds to the interest of the Customer in increasing its customer base as well as its turnover through the promotional initiatives carried out by the platform operators, limiting the sharing of the Customer's information only to what is necessary to identify the place of business and allowing the Customer to object to such processing at any time in the manner set out in paragraph 9 below.
The processing for the Purposes of Legitimate Business Interest is carried out for the pursuit of the legitimate interest of the Data Controller and its counterparties in carrying out the economic operations indicated above, the optimization of the administrative management of the Customer by its marketing network and the suppliers of products marketed through the same, the trend of the company's credit, the assessment of debt behaviour, as well as the reduction of the potential economic risk associated with their performance, adequately balanced with the interests of the Client as the processing takes place within the limits strictly necessary for the execution of these operations.
5. Processing methods
The Data are processed in paper, computerized and telematic form and entered in company databases (such as, for example, customer data, administrative databases, etc.) by means of the operations of collection, registration, organization, structuring, storage, consultation, use, processing, comparison.
The Data will also be: (i) processed lawfully and fairly; (ii) collected and recorded for specified, explicit, legitimate purposes and in such a way as to guarantee the confidentiality and security of the same; (iii) relevant, complete and not exceeding the purposes for which they are collected or subsequently processed; (iv) kept for a period of time not exceeding that necessary for the purposes for which they were collected and processed.
6. Communication and dissemination of Data
The Data may be communicated for the above Purposes and within the limits strictly necessary for the performance of each type of processing by the Data Controller to one or more specific subjects belonging to the following categories:
1. employees and/or collaborators of the Data Controller who are part, by way of example, of the commercial area, technical assistance, production, administration, etc., within the scope of their duties and/or any contractual obligations relating to commercial relations with the Customer, as persons in charge of processing;
2. for the performance of activities related to the execution of contracts with the Customer and as data processors (i) administrative and tax consultants; and (ii) suppliers of the Data Controller (such as, for example, suppliers of electronic/application/tracking tools, external professional collaborators, services to support customer care, processing of satisfaction ratings and annexes, credit recovery, monitoring of credit to the Customer, customer base segmentation systems, etc.);
3. as independent data controllers (i) banks and insurance companies, for the management of collections and payments, as well as commercial information companies for credit protection (including Cerved Group S.p.A., to which express reference is made to the online privacy policy), as well as law firms; (ii) external platforms for the analysis of consumers and their customers for the Purposes of Legitimate Marketing Interest referred to in paragraph 3.3 above, whose information on the processing of personal data is accessible at the https://legal.shopfully.cloud/it-it/informativa-beacon-bluetooth.html; (iii) public bodies, for the fulfilment of regulatory obligations; and (iv) law enforcement and judicial authorities, in order to respond to related requests;
4 other companies, including those established abroad, belonging to the Coca-Cola Hellenic group, as data processors, for the management of certain activities relating to the execution of existing contractual relationships, such as the processing and management of Data, the management of payments and the management of credits.
The Data will not, under any circumstances, be disseminated by the Data Controller.
7. Transfer of Data abroad
The Data may be freely transferred outside the national territory to countries located in the European Union, but may also be transferred outside the European Union and in particular to companies of the Coca-Cola Hellenic group located outside the European Economic Area (e.g. Armenia, Belarus, Bosnia and Herzegovina, Macedonia, Moldova, Montenegro, Nigeria, Russia, Serbia and Ukraine). Any transfer of Data to countries located outside the European Union will take place, in any case, in compliance with the appropriate and appropriate guarantees for the purposes of the transfer itself pursuant to the applicable legislation and in particular Articles 45 and 46 of the Privacy Regulation.
Data Subjects will have the right to obtain a copy of the Data held abroad and to obtain information about the place where such Data are stored by making an express request to the Data Controller at the address below.
8. Data retention period
The Data Controller will retain the Data for the period strictly necessary to fulfil the Purposes for which they were collected pursuant to paragraph 3 above. In any case, the following retention periods apply to the processing of Data for the purposes indicated below:
1. the Data processed for the Contractual Purposes are stored for the entire duration of the contract and for 10 years following its expiry for defence purposes and/or to assert a right of the Data Controller in court and/or out of court in the event of disputes, by way of example, related to the performance of the contract;
2. the Data processed for the Legal Purposes are stored for a period equal to the duration prescribed for each type of data by law;
3. Data processed for Purposes of Legitimate General Interest are stored for a period equal to the duration of the contractual relationship and 10 years following its expiry.
4. the Data processed for Purposes of Legitimate Marketing Interest are stored for a period equal to the entire duration of the service used as well as for 2 years following the last purchase and/or the end of the service used;
5. Data processed for Legitimate Business Interest Purposes are stored for a period equal to the duration of the contractual relationship and 10 years following its expiry. It should be noted that the aggregate information of a purely demographic and commercial nature cross-referenced with the geographical location of the Customer, will be updated frequently (for reasons of better segmentation of the customer base) and therefore observe very limited retention criteria.
9. Rights of the data subjects
In relation to the aforementioned processing, the Data Subjects may, at any time and free of charge, (a) obtain confirmation of the existence or otherwise of Data concerning them and communicate them; (b) know the origin of the Data, the purposes of the processing and its methods, as well as the logic applied to the processing carried out by electronic means; (c) request the updating, correction or - if they are interested - the integration of the Data; (d) obtain the cancellation, transformation into anonymous form or blocking of any Data processed in violation of the law, as well as to object, for legitimate reasons, to the processing; (e) object, in whole or in part, to the processing of Data concerning them for direct marketing purposes carried out through automated and/or traditional methods; (f) revoke, at any time, consent to the processing of Data, without this in any way affecting the lawfulness of the processing based on the consent given before the withdrawal.
In addition to the rights listed above, Data Subjects may, at any time within the limits set out in the Privacy Regulation, (a) request the limitation of the processing of personal data in the event that (i) they contest the accuracy of the Data, for the period necessary to verify the accuracy of such Data; (ii) the processing is unlawful and the Customer opposes the deletion of the Data and instead requests that its use be limited; (iii) although the Data Controller no longer needs them for the purposes of processing, the Data are necessary for the Data Subjects to ascertain, exercise or defend a right in court; (iv) the Data Subjects have objected to the processing pursuant to art. 21, paragraph 1, of the Privacy Regulation pending the verification of whether the legitimate reasons of the data controller prevail over those of the data subject; (b) object at any time to the processing of the Data; (c) request the deletion of Data concerning them without undue delay; (d) obtain the portability of the Data concerning them; (e) lodge a complaint with the Data Protection Authority (www.garanteprivacy.it), where the conditions are met.
If the Data Subjects have any doubts or concerns regarding this privacy policy or wish to exercise the rights provided for in this policy, they can contact the Data Protection Officer at the address indicated above.
10. Changes and updates
At any time, the Data Controller may make changes and/or additions to this policy, also as a consequence of any subsequent amendments and/or regulatory additions to the Privacy Regulation. In any case, changes will be notified in advance and may be made available on the Data Controller's communication channels or on the websites managed by the Data Controller, which are recommended to be consulted periodically.
Last modified: December 2023.
