Notice on the processing of Clients’ personal data

Notice on the processing of Clients’ personal data

Coca Cola HBC Italia S.r.l., in its quality of Data Controller (the "Data Controller"), informs that the personal data of data subject (if it is a natural person or sole proprietorship), of its shareholders, employees or appointees (hereinafter, the "Data Subjects"), disclosed for the conduct of negotiations related to the contract (hereinafter, the "Contract") between the Data Controller and the counterparty of the Contract (hereinafter, the "Client") and during the execution of the Contract and related activities, will be processed in accordance with this notice. The processing of personal data will be carried out in full compliance with the principles of fairness, lawfulness and transparency, as well as respecting the rights and confidentiality of the Client.

 

  1. Data Controller

The Data Controller is Coca Cola HBC Italia S.r.l., with registered office in Piazza Indro Montanelli, 30, 20099 Sesto San Giovanni (Milan) and can be contacted at the following certified e-mail address: cchbci@legalmail.it.

The Data Controller has appointed, where required, Data Processors, in compliance with the applicable legislative and regulatory framework. The complete list of Data Processors is available upon written request sent to the aforementioned email address.

The Data Controller has appointed a Data Protection Officer, in accordance with Article 37 of the General Data Protection Regulation 679/2016 / EU (hereinafter, the "GDPR"), which can be contacted at the following address:

 

  1. Personal Data collected

The Data Controller collects and processes the following personal data of the Data Subject (hereafter, the "Personal Data"):

  1. Identification data (such as, for example, company name, registered office, address, telephone number, fax, e-mail, VAT number, tax code, names of Client’s referrals, etc.);
  2. Economic and financial data referring to the Client (such as, for example, information on financial solvency, bank details, Iban, etc.); and
  3. Data on the geo-localization of the display case-fridge, if provided by the Data Controller on loan for use to the Customer, and if installed in the Customer's business premises.

The information indicated within previous paragraph 3 are personal data only where such information refers to Data Subjects which are sole proprietorships, and are processed by the Data Controller only for the Purpose of Legitimate Interest of Marketing referred to in paragraph 3.2, point (ii) of this notice, in relation only to those businesses that have agreed with the Data Controller the supply of its display case-fridge on loan for use, and have not opposed the processing of such personal data as indicated in paragraph 9 below. Without prejudice to the above, no other data relating to the geo-localization of Data Subjects is collected.

Personal Data are directly provided by the Data Subject or collected from independent third parties which act as data controllers, including commercial information companies), or obtained from registers, lists or public databases for the purposes of processing set out below.

 

  1. Purpose of the processing

Personal Data are processed for the following purposes:

  1. to guarantee (i) the performance of the Contract and the fulfilment of contractual and pre-contractual obligations arising from the relationship with Client; (ii) clients support services; (iii) the administrative management of Clients, including the activities of managing clients’ lists, orders, contracts, invoices and keeping of account, credit management and (iv) the managing of litigations related to the rights of the Data Controller towards the Clients and third parties ("Contractual Purposes");
  2. to comply with any legal and regulatory obligation ("Law Purposes");
  3. to allow (i) to contact the Client by telephone and by visiting its office, on a regular basis, for the promotion of products and/or services of the Data Controller and for carrying out internal statistical analyses and market surveys; (ii) the disclosure of the data referred to in paragraph 2.3 above, relating to the geo-localization of the Client’s business where the display case-fridge provided by the Data Controller is installed, to external providers of consumer analysis platforms (such as, for example, DoveConviene S.r.l.) and their clients, in order to allow the promotion, addressed to consumers, of some products marketed in the Client’s shop, if such consumers are in the proximity of the shop, as well as to allow the collection from these consumers of information about the type of customers and the related analysis, and therefore, the implementation of the product offer through said shop and the sales increase ("Legitimate Interest of Marketing Purposes"); and
  4. to allow (i) the disclosure of Client’s general data referred to in paragraph 2.1 above to third parties whose products are marketed via Data Controller’s commercial network, in order to improve the administration management of such Client, thus facilitating the subsequent supply of such products to the Client; (ii) the exchange of financial information, useful to monitor the creditworthiness of the Client, with commercial information companies, for the credit protection; and (iii) the performance of activities leading to the transfer of business, or branches of business, acquisition, merger, demerger or any other transformation and for the execution of such operations ("Legitimate Business Interests Purposes").

 

  1. Nature of Personal Data provision and legal ground of the processing

The processing of Personal Data is compulsory for (i) the Contractual Purposes, as it is necessary for the performance of the Contract with the Client; and (ii) the Law Purposes, as it is necessary for the Data Controller to be compliant with the Union and Italian laws and regulations. If the Client does not want its Personal Data to be processed for such purposes, the Data Controller cannot conclude a contract with the Client.

The processing for the Legitimate Interest of Marketing is necessary to pursue a legitimate interest of the Data Controller, which is adequately balanced with the Client’s interests, considering the limits imposed to this kind of processing, as illustrated in the previous paragraph. In particular, the Legitimate Interest of Marketing Purposes, referred to in paragraph 3.3, point (ii) above, reflect the interest of the Data Controller, and the customers of the above-mentioned external provider of consumer analysis platforms, to implement the marketing of their products, so that it is in line with the type of customer and reflects the interest of the Client to increase the amount of its customers and thus increase commercial revenue, through promotional initiatives carried out by the operators of the platforms, thus restricting the disclosure of Client’s information only to what is necessary to identify the place of business, and also allowing, at any time, the Client to object such processing as referred to in paragraph 9 below.

The Processing for the Legitimate Business Interests is necessary to pursue legitimate interests of the Data Controller and its counterparties, in particular to perform of the above-mentioned economic operations, to improve the administration management of the commercial network by the Client and the third parties suppliers of products marketed, as well as to reduce the related potential economic risks, these interests are adequately balanced with the Client’s interests, as Personal Data are processed to the extent strictly necessary to execute these operations.

 

  1. Means of processing

Personal Data are processed manually, electronically and entered in company databases (such as, for example, Clients database, administrative databases etc.), the processing implies the collection, registration, organization, structuring, storage, consultation, use, alignment and combination of Personal Data.

Furthermore, Personal Data will be: (i) processed lawfully and fairly; (ii) collected and registered for specific, explicit, legitimate purposes and in a manner that ensures the appropriate confidentiality and security of them; (iii) adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected or processed; (iv) stored for a period of time no longer than the one necessary to reach the purposes for which they are collected and processed.

 

  1. Communication and disclosure of Personal Data

Personal Data may be communicated, for the above-mentioned purposes and to the extent strictly necessary to perform each kind of processing by the Data Controller, to persons and companies belonging to the following categories:

  1. as data processors, employees and/or collaborators of the Data Controller, by way of example, of the commercial area, technical assistance, production area, administration area, etc., in connection with their duties and/or to perform contractual obligations inherent to the relationship with the Client;
  2. as data controllers, in order to execute activities related to the performance of the Contract with the Client (i) legal, administrative and tax consultants or law firms; and (ii) suppliers of the Data Controller (such as, for example, suppliers of electronic system, external professional agents, etc.);
  3. as data controllers (i) banks and insurance companies, for the management of receipts and payments, as well as commercial information companies for credit protection; (ii) external platforms of consumers analysis and relevant clients for the Legitimate Interest of Marketing Purposes referred to in paragraph 3.3. point (ii) above, whose relevant privacy information notice is available here https://legal.shopfully.cloud/it-it/informativa-beacon-bluetooth.html (iii) public bodies, for the fulfillment of regulatory obligations; and (iv) public security forces and judicial authorities, to reply to any requests they submit to the Data Controller;
  4. companies whose products are marketed through the commercial network of the Data Controller for the Legitimate Business Interest Purposes referred to in paragraph 3.4, point (i) above, which will process Personal Data using the methods indicated in the privacy notice on the processing of personal data available here https://lurisia.it/informativa-clienti/; and
  5. as data controllers, other companies, including those established outside Italy, belonging to Coca‑Cola Hellenic Group, to manage certain activities related to the performance of existing contractual relationships, such as the processing and management of Personal Data, payment and credit management. The Personal Data will not be disclosed, under any circumstances, by the Data Controller. 

 

  1. Personal Data Transfer

Personal Data could be transferred outside Italy exclusively to countries members of the European Union. Data Subjects have the right to obtain a copy of the Personal Data transferred outside Italy and to receive information about the place where these Personal Data are stored, by submitting specific request at the address set out below. 

 

  1. Data retention period

Data Controller will retain Personal Data for the period necessary to reach the purposes above-mentioned, in accordance with paragraph 3 of the present notice. In any case, the following retention periods apply to each processing of Personal Data, according to the specific purpose for which they are processed:

  1. Personal Data processed for Contractual Purposes are retained for the whole duration of the Contract and for 10 years after the expiration of the latter, to assure Data Controller the possibility to defence and/or claim its rights in legal proceeding and/or out-of-court in case of disputes related to the performance of the Contract;
  2. Personal Data processed for Law Purposes are retained for time prescribed for each type of data by law;
  3. Personal Data processed for Legitimate Interest of Marketing are retained for the entire duration of the service supplied by the Data Controller and for 2 years following the last purchase and/or the end of the service supplied; and
  4. Personal Data processed for Legitimate Business Interests are retained for 10 years from the time of their collection, except for Personal Data processed for Legitimate Business Interests Purposes referred to in paragraph 3.4., point (i) above, which are retained for 12 months from the first marketing by the Data Controller of third parties’ products, or from the collection, whichever subsequent, unless, during such period, the Client has become a customer of the third party. In such case, the Personal Data will be processed for the purposes and in accordance with the modalities set forth in the notice on the processing of personal data of such third party available at https://lurisia.it/informativa-clienti/.

 

  1. Data Subject Rights

In relation to the aforementioned processing, the Data Subject may, at any time and for free, (a) obtain confirmation as to whether or not its personal data are processed by the Data Controller; (b) ask information about the origin of its personal data, the purposes of the processing and its manner, as well as the logic applied to the processing carried out through electronic means; (c) require the update, correction or the integration of its personal data; (d) obtain the erasure, the rendering anonymous or the blocking of its data processed in violation of the law, as well as object, for legitimate reasons, to the processing; (e) object, in whole or in part, to the processing of its data for direct marketing purposes carried out in automated and/or traditional manner; (f) revoke, at any time, its consent to the processing of personal data, without prejudice to the lawfulness of the processing based on the consent given prior to the revocation.

In addition to the rights listed above, the Data Subject may, at any time within the limits set out in the GDPR, (a) require the limitation of the processing of personal data in the event that (i) the accuracy of its personal data it is contested, for the period necessary to verify the accuracy of the latter; (ii) the processing is unlawful and the data Subject opposes the erasure of its personal data and requests the restriction of their use instead; (iii) although the Data Controller no longer needs the personal data of the Data Subject for the purposes of the processing, the Data Subjects requires them fot the establishment, exercise or defence of legal claims; (iv) object to processing pursuant to Article 21, paragraph 1, of the GDPR pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject; (b) oppose to the processing of its personal data; (c) require the erasure of its personal data without delay; (d) obtain the portability of its personal data; (e) lodge a complaint with the Italian Protection Authority (www.garanteprivacy.it).

If the Data Subject has any doubts or perplexities regarding this privacy notice or wishes to exercise the rights herewith set forth, it may contact the Data Controller or Data Protection Officer at the addresses indicated above.

 

  1. Modification and update

At any time, the Data Controller, may make changes and/or integrations to the present notice, also as a consequence of any amendments and/or integration to the GDPR. In any case, the changes will be notified in advance and may be made available on the Data Controller's communication channels or on the websites managed by the Data Controller.

 

Coca‑Cola HBC Italia S.r.l.