Customer Personal Data Policy

Information on the processing of personal data of customers 

Coca-Cola HBC Italia S.r.l., in its capacity as data controller (the "Data Controller"), hereby wishes to inform you that the personal data of the data subject (in the event that it is a natural person or a sole proprietorship), its partners, employees or appointees (hereinafter the "Data Subjects") communicated for the performance of negotiations relating to the contract (hereinafter, the "Contract") between the Owner and the counterparty to the Contract (hereinafter, the "Customer") and in the course of the execution of the same and the activities related to it, will be processed in accordance with this information on the processing of personal data. The processing of personal data will be carried out in full compliance with the principles of correctness, lawfulness and transparency, as well as the rights and confidentiality of the Customer.

1. Personal data controller

The data controller is Coca-Cola HBC Italia S.r.l., with registered office in Piazza Indro Montanelli, 30, 20099 Sesto San Giovanni (Milan) and can be contacted at the following certified e-mail address: cchbci@legalmail.it.

The Data Controller has made the appointments as data processors where necessary in accordance with the current regulatory framework. The complete list of data processors is available upon written request sent to the email address indicated above.

The Data Controller has appointed a Data Protection Officer pursuant to Article 37 of the General Data Processing Regulation 679/2016/EU (hereinafter the "Privacy Regulation") who can be contacted at the following address:

• E-mail: DataProtectionOffice@cchellenic.com

2. Personal data collected

 The Data Controller collects and processes the following personal data of the Data Subjects (hereinafter, jointly, the "Data"):

1. identification data (such as, for example, name or company name, headquarters, address, telephone number, fax number, e-mail number, VAT number, tax code, name of the Customer's contact persons, etc.);
2. economic and financial data relating to the Customer (such as, for example, data on financial solvency, bank details - Iban, etc.); and
3. data on the geographical location of the display cooler, if provided on loan for use by the Data Controller to the Customer if installed at the Customer's business.

The information referred to in point 3 above is personal data only if it refers to Data Subjects who are sole proprietorships and are processed by the Data Controller solely for the Purposes of Legitimate Marketing Interest referred to in paragraph 3.2, point (ii) of this information in relation only to commercial establishments that have agreed with the Data Controller on the supply of its display cabinet on loan for use and have not objected to the processing of such personal data in the manner referred to in paragraph 9 below. Except as indicated above, no other data relating to the location of Data Subjects is collected.

The Data are provided directly by the Data Subjects or are collected from independent third party data controllers, including commercial information companies, or obtained from registers, lists or public databases for the processing purposes referred to below.

3. Purpose of the processing

The Data are processed for the following purposes:

1. to allow (i) the performance of the contract with the Customer and the fulfilment of contractual and pre-contractual obligations arising from the relationship to which the Customer is a party; (ii) customer support services; (iii) the administrative management of the Customer, including the management of master data, management of orders, contracts and invoices and the keeping of the related accounts, management of credits and (iv) the management of disputes for the protection of the rights of the Data Controller against the Customer and third parties ("Contractual Purposes");
2. to comply with any legal and regulatory obligations ("Legal Purposes");
3. to allow (i) to contact the Customer through telephone communications with an operator and visits to the Customer's premises on a periodic basis for the promotion of the Data Controller's products and/or services and to carry out internal statistical analyses and market surveys; (ii) communicate the data referred to in paragraph 2.3 above relating to the geographical location of the Customer's business in which the display fridge supplied by the Data Controller is installed to managers of external consumer analysis platforms (such as, for example, DoveConviene S.r.l.) and their customers in order to allow the promotion to consumers of certain products marketed through the Customer's business, if such consumers are located in the vicinity of said business, the collection of information from such consumers about the type of customers who frequent the business and the related analysis, and therefore the optimisation of the product offer through the same and the increase in sales ("Purposes of Legitimate Marketing Interest"); and
4. allow (i) the sharing of the identification data referred to in paragraph 2.1 relating to the Customer in favour of third party companies whose products are marketed through the Data Controller's commercial network in order to optimise the administrative management of the Customer itself, thus facilitating the subsequent supply of said products to the Customer; (ii) the exchange of information of a financial nature and functional to the control of the Customer's solvency with commercial information companies for the purposes of credit protection; and (iii) the performance of activities functional to the sale of a company and business unit, acquisitions, mergers, demergers or other transformations and for the execution of such transactions ("Purposes of Legitimate Business Interest").

4. Nature of the provision of Data and legal basis of the processing

The provision of Data and the related processing are mandatory for (i) the Contractual Purposes as necessary for the execution of the contract with the Customer; and (ii) the Legal Purposes as required by laws, regulations and EU legislation. In the event that the Customer does not want their Data to be processed for these purposes, it will not be possible for the Data Controller to enter into a contractual relationship with him.

The processing for the Purposes of Legitimate Marketing Interest is functional to the pursuit of a legitimate interest of the Data Controller adequately balanced with the interests of the Customers in light of the limits imposed on such processing illustrated in the previous paragraph. In particular, the Purpose of Legitimate Marketing Interest referred to in paragraph 3.3, point (ii) above responds to the interest of the Data Controller and the customers of the managers of external data analysis platforms consumers mentioned above to optimize the marketing of their products so that it is in line with the type of customer of the Customer and responds to the Customer's interest in increasing its customer base as well as its turnover through the promotional initiatives carried out by the platform managers, limiting the sharing of the Customer's information only to what is necessary to identify the place of the business and allowing at any time the Customer to object to such processing in accordance with the procedures set out in paragraph 9 below.

The processing for the Purposes of Legitimate Business Interest is carried out for the pursuit of the legitimate interest of the Data Controller and its counterparties in carrying out the economic operations indicated above, in the optimization of the administrative management of the Customer by its marketing network and suppliers of products marketed through the same, as well as in the reduction of the potential economic risk associated with their performance, adequately balanced with the interests of the Customer as the processing takes place within the limits strictly necessary for the execution of these operations.

5. Processing methods

The Data are processed in paper, computerized and telematic form and entered in company databases (such as, for example, customer data, administrative databases, etc.) by means of the operations of collection, registration, organization, structuring, storage, consultation, use, processing, comparison.

The Data will also be: (i) processed lawfully and fairly; (ii) collected and recorded for specified, explicit, legitimate purposes and in such a way as to guarantee the confidentiality and security of the same; (iii) relevant, complete and not exceeding the purposes for which they are collected or subsequently processed; (iv) kept for a period of time not exceeding that necessary for the purposes for which they were collected and processed.

6. Communication and dissemination of Data 

The Data may be communicated for the above Purposes and within the limits strictly necessary for the performance of each type of processing by the Data Controller to one or more specific subjects belonging to the following categories:

1. employees and/or collaborators of the Data Controller who are part, by way of example, of the commercial area, technical assistance, production, administration, etc., within the scope of their duties and/or any contractual obligations relating to commercial relations with the Customer, as persons in charge of processing;
2. for the performance of activities related to the execution of contracts with the Client and as data processors (i) legal, legal, administrative and tax consultants or firms; and (ii) suppliers of the Data Controller (such as, for example, suppliers of electronic tools, external professional collaborators, etc.);
3. as independent data controllers (i) banks and insurance companies, for the management of collections and payments, as well as commercial information companies for credit protection; (ii) external platforms for the analysis of consumers and their customers for the Purposes of Legitimate Marketing Interest referred to in paragraph 3.3, point (ii) whose information on the processing of personal data is accessible at the https://legal.shopfully.cloud/it-it/informativa-beacon-bluetooth.html; (iii) public bodies, for the fulfilment of regulatory obligations; and (iv) law enforcement and judicial authorities, in order to respond to related requests;
4. companies whose products are marketed through the Data Controller's commercial network for the purposes of Legitimate Business Interest referred to in paragraph 3.4, point (i) above, which will process the Data in the manner indicated in the information on the processing of personal data available https://lurisia.it/informativa-clienti/.
5. other companies, also established abroad, belonging to the Coca-Cola Hellenic group, as data processors, for the management of certain activities relating to the execution of existing contractual relationships, such as the processing and management of Data, the management of payments and the management of credits.

The Data will not, under any circumstances, be disseminated by the Data Controller.

7. Transfer of Data abroad

The Data may be freely transferred outside the national territory to countries located in the European Union, but may also be transferred outside the European Union and in particular to group companies located outside the European Economic Area (e.g. Armenia, Belarus, Bosnia and Herzegovina, Macedonia, Moldova, Montenegro, Nigeria, Russia, Serbia and Ukraine). Any transfer of Data to countries located outside the European Union will take place, in any case, in compliance with the appropriate and appropriate guarantees for the purposes of the transfer itself pursuant to the applicable legislation and in particular Articles 45 and 46 of the Privacy Regulation.  

Data Subjects will have the right to obtain a copy of the Data held abroad and to obtain information about the place where such Data are stored by making an express request to the Data Controller at the address below.

8. Data retention period

The Data Controller will retain the Data for the period necessary to fulfil the Purposes for which they were collected pursuant to paragraph 3 above. In any case, the following retention periods apply to the processing of Data for the purposes indicated below:

1. the Data processed for the Contractual Purposes are stored for the entire duration of the contract and for 10 years following its expiry for defence purposes and/or to assert a right of the Data Controller in court and/or out of court in the event of disputes related to the execution of the contract;
2. the Data processed for the Legal Purposes are stored for a period equal to the duration prescribed for each type of data by law;
3. the Data processed for Legitimate Marketing Interest purposes are stored for a period equal to the entire duration of the service used as well as for 2 years following the last purchase and/or the end of the service used;
4. the Data processed for the Purposes of Legitimate Business Interest are stored for a period equal to the duration of the contractual relationship and 10 years following its expiry, with the exception of the Data processed for the Purposes of Legitimate Business Interest referred to in paragraph 3.4, point (i) which will be processed for 12 months from the start of the marketing of third-party products by the Data Controller, or from the collection, whichever is later. This is without prejudice to the case in which during this period the Customer has become a customer of the third party. In this circumstance, the Data will continue to be processed for the purposes and according to the methods set out in the information on the processing of personal data of the third party available to https://lurisia.it/informativa-clienti/.

9. Rights of the data subjects 

In relation to the aforementioned processing, the Data Subjects may, at any time and free of charge, (a) obtain confirmation of the existence or otherwise of Data concerning them and communicate them; (b) know the origin of the Data, the purposes of the processing and its methods, as well as the logic applied to the processing carried out by electronic means; (c) request the updating, correction or - if they are interested - the integration of the Data; (d) obtain the cancellation, transformation into anonymous form or blocking of any Data processed in violation of the law, as well as to object, for legitimate reasons, to the processing; (e) object, in whole or in part, to the processing of Data concerning them for direct marketing purposes carried out through automated and/or traditional methods; (f) revoke, at any time, consent to the processing of Data, without this in any way affecting the lawfulness of the processing based on the consent given before the withdrawal.

In addition to the rights listed above, Data Subjects may, at any time within the limits set out in the Privacy Regulation, (a) request the limitation of the processing of personal data in the event that (i) they contest the accuracy of the Data, for the period necessary to verify the accuracy of such Data; (ii) the processing is unlawful and the Customer opposes the deletion of the Data and instead requests that its use be limited; (iii) although the Data Controller no longer needs them for the purposes of processing, the Data are necessary for the Data Subjects to ascertain, exercise or defend a right in court; (iv) the Data Subjects have objected to the processing pursuant to art. 21, paragraph 1, of the Privacy Regulation pending the verification of whether the legitimate reasons of the data controller prevail over those of the data subject; (b) object at any time to the processing of the Data; (c) request the deletion of Data concerning them without undue delay; (d) obtain the portability of the Data concerning them; (e) lodge a complaint with the Data Protection Authority (www.garanteprivacy.it), where the conditions are met.

If the Data Subjects have any doubts or concerns regarding this privacy policy or wish to exercise the rights provided for in this policy, they can contact the Data Controller or the Data Protection Officer at the addresses indicated above.

10. Changes and updates

At any time, the Data Controller may make changes and/or additions to this policy, also as a consequence of any subsequent amendments and/or regulatory additions to the Privacy Regulation. In any case, changes will be notified in advance and may be made available on the Data Controller's communication channels or on the websites managed by the same.

Coca-Cola HBC Italia S.r.l.