Notice on the processing of Clients’ personal data (update June 2018)

Coca Cola HBC Italia S.r.l., as Data Controller (the "Data Controller"), informs that the personal data of data subject (if it is a natural person or sole proprietorship), of its shareholders, employees or appointees (hereinafter, "Data Subject"),  communicated for the conduct of negotiations related to the existing contract (hereinafter, "Contract") between the Data Controller and the counterparty of the Contract (hereinafter, "Client") and during the execution of the Contract and related activities, will be processed in accordance with this notice. The processing of personal data will be carried out in full compliance with the principles of fairness, lawfulness and transparency, as well as respecting the rights and confidentiality of the Client.


  1. Data Controller

The Data Controller is Coca Cola HBC Italia S.r.l., with registered office in Piazza Indro Montanelli, 30, 20099 Sesto San Giovanni (Milan) and can be contacted at the following certified e-mail address: .

The Data Controller has appointed, where required, Data Processors, in compliance with the current regulatory framework. The complete list of Data Processors is available upon written request sent to the aforementioned email address.

The Data Controller has appointed a Data Protection Officer, in accordance with Article 37 of the General Data Protection Regulation 679/2016 / EU (hereinafter, "GDPR"), which can be contacted at the following address:


  1. Personal Data

The Data Controller collects and processes the following personal data of the Data Subject (hereafter, "Personal Data"):

  1. General data (such as, for example, company name, registered office, address, telephone number, fax, e-mail, VAT number, tax code, etc.);
  2. Economic and financial data referring to the Client (such as, for example, information on financial solvency, bank details, Iban, etc.).

Personal Data are directly provided by the Data Subject or collected from independent third parties which act as data controllers, including commercial information companies (such as, for example, Cerved), or obtained from registers, lists or public databases for the purposes of processing set out below.


  1. Purpose of the processing

The Data are processed for the following purposes:

  1. to guarantee (i) the performance of the Contract and the fulfilment of contractual and pre-contractual obligations arising from the relationship with Client; (ii) clients support services; (iii) the administrative management of Clients, including the activities of managing clients’ lists, orders, contracts, invoices and keeping of account, credit management and (iv) the managing of litigations related to the rights of the Data Controller towards the Clients and third parties ("Contractual Purposes");
  2. to comply with any legal and regulatory obligation ("Law Purposes");
  3. to contact the Client by telephone and by visiting its office, monthly, for the promotion of products and/or services of the Data Controller and for carrying out internal statistical analyses and market surveys ("Legitimate Interest of Marketing"); and
  4. to allow (i) the exchange of financial information, useful to monitor the creditworthiness of the Client, with commercial information companies, for the credit protection; and (ii) the performance of activities leading to the transfer of business, or branches of business, acquisition, merger, demerger or any other transformation and for the execution of such operations ("Legitimate Business Interests").


  1. Legal ground of the processing

The processing of Personal Data is compulsory for (i) the Contractual Purposes, as it is necessary for the performance of the Contract with the Client; and (ii) the Law Purposes, as it is necessary for the Data Controller to be compliant with the Union and Italian laws and regulations. If the Client does not want its Personal Data to be processed for such purposes, the Data Controller cannot conclude a contract with the Client.

The processing for the Legitimate Interest of Marketing is necessary to pursue a legitimate interest of the Data Controller, which is adequately balanced with the Client’s interests, considering the limits imposed to this kind of processing, as illustrated in the previous paragraph.

The Processing for the Legitimate Business Interests is necessary to pursue legitimate interests of the Data Controller and its counterparties, in particular to perform of the above-mentioned economic operations and to reduce the related potential economic risks, these interests are adequately balanced with the Client’s interests, as Personal Data are processed to the extent strictly necessary to execute these operations.


  1. Means of processing

Personal Data are processed manually, electronically and entered in company databases (such as, for example, Clients database, administrative databases etc.), the processing implies the collection, registration, organization, structuring, storage, consultation, use, alignment and combination of Personal Data.Furthermore, Personal Data will be: (i) processed lawfully and fairly; (ii) collected and registered for specific, explicit, legitimate purposes and in a manner that ensures the appropriate confidentiality and security of them; (iii) adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected or processed; (iv) stored for a period of time no longer than the one necessary to reach the purposes for which they are collected and processed.


  1. Communication and disclosure

Personal Data may be communicated, for the above-mentioned purposes and to the extent strictly necessary to perform each kind of processing by the Data Controller, to persons and companies belonging to the following categories:1.     as data processors, employees and/or collaborators of the Data Controller, by way of example, of the commercial area, technical assistance, production area, administration area, etc., in connection with their duties and/or to perform contractual obligations inherent to the relationship with the Client;2.     as data controllers, in order to execute activities related to the performance of the Contract with the Client (i) legal, administrative and tax consultants or law firms; and (ii) suppliers of the Data Controller (such as, for example, suppliers of electronic system, external professional agents, etc.);3.     as data controllers (i) banks and insurance companies, for the management of receipts and payments, as well as commercial information companies for credit protection; (ii) public bodies, for the fulfillment of regulatory obligations; and (iii) public security forces and judicial authorities, to reply to any requests they submit to the Data Controller; and4.     as data controllers, other companies, including those established outside Italy, belonging to Coca‑Cola Hellenic Group, to manage certain activities related to the performance of existing contractual relationships, such as the processing and management of Personal Data, payment and credit management.The Personal Data will not be disclosed, under any circumstances, by the Data Controller. 

  1. Communication and disclosure

Personal Data could be transferred outside Italy to countries members of the European Union, but could also be transferred outside the European Union, in particular, to companies of the Coca‑Cola Hellenic Group which are located outside the European Economic Area (e.g., Belarus, Bosnia and Herzegovina, Macedonia, Moldova, Montenegro, Nigeria, Russia, Serbia and Ukraine). The possible transfer of Persona Data will be in compliance with the suitable and appropriate guarantees under the law and, in particular, according to Articles 45 and 46 of the GDPR. Data Subjects have the right to obtain a copy of the Personal Data transferred outside Italy and to receive information about the place where these Personal Data are stored, by submitting specific request at the address set out below. 

  1. Data retention period

Data Controller will retain Personal Data for the period necessary to reach the purposes above-mentioned, in accordance with paragraph 3 of the present notice. In any case, the following retention periods apply to each processing of Personal Data, according to the specific purpose for which they are processed:

1.     Personal Data processed for Contractual Purposes are retained for the whole duration of the Contract and for 10 years after the expiration of the latter, to assure Data Controller the possibility to defence and/or claim its rights in legal proceeding and/or out-of-court in case of disputes related to the performance of the Contract;2.     Personal Data processed for Law Purposes are retained for time prescribed for each type of data by law;3.     Personal Data processed for Legitimate Interest of Marketing are retained for the entire duration of the service supplied by the Data Controller and for 2 years following the last purchase and/or the end of the service supplied;4.     Personal Data processed for Legitimate Business Interests are retained for 10 years from the time of their collection.


  1. Data Subject Rights


In relation to the aforementioned processing, the Data Subject may, at any time and for free, (a) obtain confirmation as to whether or not its personal data are processed by the Data Controller; (b) ask information about the origin of its personal data, the purposes of the processing and its manner, as well as the logic applied to the processing carried out through electronic means; (c) require the update, correction or the integration of its personal data; (d) obtain the erasure, the rendering anonymous or the blocking of its data processed in violation of the law, as well as object, for legitimate reasons, to the processing; (e) object, in whole or in part, to the processing of its data for direct marketing purposes carried out in automated and/or traditional manner; (f) revoke, at any time, its consent to the processing of personal data, without prejudice to the lawfulness of the processing based on the consent given prior to the revocation.

In addition to the rights listed above, the Data Subject may, at any time within the limits set out in the GDPR, (a) require the limitation of the processing of personal data in the event that (i) the accuracy of its personal data it is contested, for the period necessary to verify the accuracy of the latter; (ii) the processing is unlawful and the data Subject opposes the erasure of its personal data and requests the restriction of their use instead; (iii) although the Data Controller no longer needs the personal data of the Data Subject for the purposes of the processing, the Data Subjects requires them fot the establishment, exercise or defence of legal claims; (iv) object to processing pursuant to Article 21, paragraph 1, of the GDPR pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject; (b) oppose to the processing of its personal data; (c) require the erasure of its personal data without delay; (d) obtain the portability of its personal data; (e) lodge a complaint with the Italian Protection Authority.

If the Data Subject has any doubts or perplexities regarding this privacy notice or wishes to exercise the rights herewith set forth, it may contact the Data Controller or Data Protection Officer at the addresses indicated above.


  1. Modification and update

This notice applies from May 25th, 2018. Data Controller, subject to notice, shall make changes and/or integrations to the present notice, also according to any amendments and/or integration to the GDPR. The changes will be notified in advance and may be made available on the Data Controller's communication channels or on the websites managed by the Data Controller.