CONTACT US
COKE2HOME
go to

Privacy Policy

Privacy Policy

Welcome to the official website of Hindustan Coca-Cola Beverages Private Limited (“HCCBPL”). We are committed to protecting your privacy and have created this Privacy Policy to explain how we handle and use any personal information that you may provide to us through this website.

 

Highlights 

  • Coca-Cola is one of the most recognized and iconic global brands, but we cannot refresh the world if we do not inspire confidence that we will respect our consumers, customers and employees' expectations of privacy. Our Global Privacy Policy (Policy) outlines a core set of principles for handling Personal Data to help us all use data lawfully, transparently, and appropriately. 
  • Non-compliance could lead to legal or financial damages that are the result of regulatory fines and civil actions, as well as reputational damage
  • We follow the Company's Responsible Marketing Policy as guidance for Processing Personal Data for minors but comply with local age limits where the two conflict
  • Some countries or regions may be subject to more specific additional requirements or less requirements than outlined in this policy. When the Policy is in conflict with Data Protection Laws we will apply the strictest and most legally reasonable interpretation

 

Policy Purpose 

To provide minimum requirements to ensure that we respect the law and users' expectations of privacy when we handle Personal Data

 

Eligibility 

All Company personnel are subject to the Policy. In some countries there may be additional regulatory and compliance obligations, so some Personnel may be subject to specific additional requirements when local law requires

 

Policy Details 

 

Basic Privacy Principles 

Persons acting under the authority of The Coca-Cola Company will not process Personal Data except on instructions from The Coca-Cola Company and in compliance with relevant law

 

Purposes and Justification for Processing Personal Data 

We process Personal Data to

  • Provide products and services requested by consumers and customers, including personalized marketing campaigns
  • Comply with laws, regulations and legal requirements
  • Protect and enhance security and safety of The Coca-Cola Company, Personnel and other Individuals, including safeguarding the uninterrupted continuity of business
  • Communicate with Personnel and other Individuals
  • Run data analytics to derive trends and improve products, marketing campaigns, consumer or customer experience, employee engagement and productivity, and consumer, customer and employee services. 
  • Carry out corporate transactions including sale, acquisition and merger. 
  • For other purposes allowed under applicable Data Protection Law. 

We will NOT process Sensitive Personal Information (SPI), unless: 

  • We collect the Individual's consent, except where we must legally protect an Individual's interest and the Individual cannot physically provide consent. 
  • Processing is necessary for the purposes of carrying out The Coca-Cola Company's legal obligations and exercising specific rights of The Coca-Cola Company or of the Individual
  • We must fulfill the request of regulatory or judicial bodies, or other agencies requesting in an official capacity or processing is necessary for the establishment, exercise or defense of legal claims

 

Processing Data for Minors 

We follow the Company's Responsible Marketing Policy as guidance for Processing Personal Data for minors but comply with local age limits where the two conflict

 

Notice and Consent 

When we collect Personal Data from an Individual, we will provide a privacy notice, at a minimum describing the: 

  • Purpose for Processing Personal Data 
  • Recipients of Personal Data 
  • Contact information for the Individual to direct questions related to access or correction, and where applicable law requires, other available rights such as: 
  1.  Deletion 
  2. Correction 
  3. Portability 
  4. Restriction of Processing 
  5. Consent, when it is used to justify the use of Personal Data 

When the purpose for use changes or we have a new purpose not set out in the original privacy notice, we will provide the Individual with notice and collect consent (where required) before we Process Personal Data for that new purpose. 

 

Personal Data Accuracy 

We will take reasonable steps to maintain the accuracy of the Personal Data and will delete or correct any identified inaccuracies without undue delay

 

Personal Data Security and Confidentiality 

The Coca-Cola Company and its Personnel will take appropriate and commercially reasonable Technical and Organizational Measures to protect Personal Data against unauthorized or accidental access, acquisition, loss, disclosure, destruction or damage. When SPI is captured, accessed, stored or transferred, additional technical and organizational measures must be implemented

Personnel who need to access Personal Data are required to be bound by contract, The Coca-Cola Company's Code of Business Conduct (CoBC), Data Protection Laws, and/or relevant policies to protect the confidentiality of an Individual's Personal Data

 

Personal Data Storage and Erasure 

Personal Data must be stored and disposed of based on Company-approved standards. When We Process SPI, the data must adhere to additional requirements documented in the Information Classification Standard unless a written exception is noted and approved by Senior Leadership. 

We will retain Personal Data in accordance with our legal obligations, retention policies and procedures. In case of a conflict between our retention policies and procedures and applicable Data Protection Law, We consult the Chief Privacy Officer for guidance. 

 

Data Breaches and Security Incidents 

Personnel should email the KO Computer Incident Response Team (KO-CIRT) immediately when they believe Personal Data has been compromised by any means including loss, erasure, alteration, misuse, unauthorized access or unlawful destruction

If Personal Data is included in an incident or breach, The Coca-Cola Company will review the details of the incident and consult applicable Data Protection Laws. The Coca-Cola Company will notify the individual without undue delay as required by law

 

Third Country Personal Data Transfers 

We will transfer Personal Data outside the country where it was collected in compliance with the provisions of applicable Data Protection Laws, such as through cross-border data transfer agreements. 

 

Third-Parties 

We will conduct due diligence on Third-Parties who handle any Personal Data in partnership with The Coca-Cola Company or on our behalf. We will monitor their compliance with Data Protection Laws and this Policy through contractual assurances, questionnaires, audits, or other measures. 

We only work with Third-Parties that implement appropriate technical and organizational measures. Where we have knowledge that a Third-Party is using, disclosing or otherwise Processing Personal Data in a manner contrary to these assurances, we will take reasonable steps to prevent or stop the use, disclosure or other possible misuse of such information

 

Third-Party Recipients 

We will disclose Personal Data to third parties only in compliance with law or approved practices

 

Relationship between this Policy and Data Protection Laws 

Some countries or regions may be subject to more specific additional requirements or less requirements than outlined in this Policy. When the Policy conflicts with Data Protection Laws, we will apply the strictest and most legally reasonable interpretation. Otherwise, this Policy will apply. If it is unclear which requirements apply, contact the Privacy Office. 

 

Your Responsibility 

Process Personal Data and/or SPI in accordance with this Policy: 

  • Properly classify and label data to ensure that Personal Data and/or SPI is clearly identified
  • Adopt adequate technical measures to protect the Personal Data based on its sensitivity. Refer to the Information Protection Policy and Information Classification Standard for details
  • When Personal Data is involved, include Privacy in your process from the beginning. Complete a Privacy Assessment when your process, platform or application(s) will handle Personal Data
  • Report unauthorized data access to the KO-CIRT immediately. Examples of unauthorized access include: 
  1. Lost or stolen device 
  2. Suspicious emails/attachments / links 
  3. Unauthorized access, whether unintended or malicious 
  4. Follow Global Minimum Standards where implemented 

 

Report violations of this Policy to the Chief Privacy Officer; the local Company legal office and/or the local Data Protection Officer; your local Human Resources office; or the Ethics & Compliance Office. Likewise, immediately report conflicts that arise from legal requirements or instructions to the Privacy Office so they can work with relevant parties to provide guidance. 

 

Expected Outcomes 

When this Policy is followed, Senior Leadership and Business Owners can make informed risk-based decisions on adopting processes and applications that support The Coca-Cola Company objectives. 

When this Policy is not followed, it is a violation of the The Coca-Cola Company COBC and may result in disciplinary actions, dismissal, or any other sanction permitted by applicable law

 

Performance Indicators 

The Coca-Cola Company will conduct periodic internal audits of privacy controls to ensure compliance with this Policy. Exceptions must be formally documented and approved by Senior Leadership. Where new Data Protection Laws are adopted or existing Data Protection Laws change, the Privacy Office will confer with local legal counsel to provide guidance on any additional requirements

 

Procedures 

This Privacy Policy is implemented primarily through biennial training, global and local awareness activities, and the Privacy Assessment. A Privacy Assessment may result in additional subtasks to ensure effective implementation. 

 

Summary of Procedures 

Biennial training focuses on ways we can embed Privacy into our design and deployment from the beginning of a business activity. The Assessment Process helps identify specific areas where we may either (i) inadvertently deviate from our Policy, or (ii) decide to deviate from our Policy to address additional, specific requirements

 

Policy Procedures 

Training 

Biennial online privacy training is required for all Personnel (excluding plant workers) designated as "online learners." Privacy training may also be reinforced through other required training, such as the annual CoBC

 

Privacy Assessment 

A Privacy Assessment evaluates an activity to ensure that it is aligned with the Policy or additional requirements mandated by local law. A Privacy Assessment may identify areas of risk where remediation is required in order to fully adhere to this Policy

  • Risk Assessment is required to ensure that web/mobile apps and 3rd parties that store Personal Data are evaluated for appropriate technical and organizational measures
  • Privacy Notice 
  • Cookie Policy 
  • Consent 
  • Data Processing Agreement (DPA) 
  • Data Subject Access Request 

 

Key terms and definitions 

1. Data Protection Laws or Laws or Regulations means all applicable laws and regulations in relation to data security and privacy. 

2. Business Owners are the Individuals responsible for making changes to an activity that processes Personal Data

3. Code of Business Conduct (CoBC) is The Coca-Cola Company's global policy which requires Personnel to conduct themselves in an appropriate manner to help maintain its reputation, integrity, and standards for ethical conduct

4. Data Processing Agreement (DPA) refers to the conditions which need to be included into agreements when Personal Data is being Processed

5. Global Minimum Standards is the baseline by which this policy is applied in regions or countries where there are no more specific Laws. 

6. Individual or Data Subject means anyone who can be identified, directly or indirectly, by using an identifier like name or address alone or in combination with other data factors

7. Senior Leadership refers to The Coca-Cola Company or a business unit's Senior Leadership

8. Organizational Measures are data protection measures that relate to the system's environment and particularly to the Personnel who may encounter Personal Data

9. Personal Data or Personal Information means any information Processed by or on behalf of The Coca-Cola Company that relates to an Individual

10. Personnel means all full-time or part-time employees at every level of the Company, interns, trainees, contingent workers, marketing agencies and any other workers of any kind who perform work or services for or on behalf of The Coca-Cola Company, including service providers

11. Privacy Office refers to the Personnel who report to the Chief Privacy Officer and support adoption of Privacy compliance requirements

12. Processing or Processed or Process means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether manually or by automated means. Processing may be carried out by Personnel who are internal or third-parties. Other terms that describe Processing are Handle or Handling, Access, Collect, Share or Sharing, Store or Storing and Use or Using

13. Sensitive Personal Information means any Personal Data that requires more protection because it is sensitive. Examples include: 

a. Health information 

b. Genetic or biometric info used to identify an Individual 

c. Race 

d. Religious or political affiliation 

e. Sexual orientation 

f. Government-issued IDs 

g. Financial account information 

 

NOTE: Personal Data and SPI may be classified and addressed with specific additional requirements in some locations. To that end, please contact the Privacy Office with questions. 

14. Technical Measures are data protection measures that directly involve The Coca- Cola Company's IT systems. 

15. Third-Party or Third-Parties are organizations or companies that are not a subsidiary of or affiliated with The Coca-Cola Company. 

16. We means The Coca-Cola Company, its Personnel and any vendor, agency or person acting on its behalf

 

Regulatory references +Citations 

Privacy laws are continually evolving. Email the Privacy Office if you have questions related to applicable laws in your area. 

 

Questions and Clarification 

Contact the Privacy Office with questions related to this policy. 

Contact the Coca-Cola Computer Incident Response Team (KO-CIRT) immediately when you believe Personal Data has been compromised by any means. 

Report violations of this policy to the Ethics & Compliance Office

 

Privacy Assessment 

Privacy Assessment 

 

Notice of Disclaimer - Right to Vary, Terminate or Amend Policy 

The Coca-Cola Company ("the Company," "TCCC") intends to notify employees of changes to its policies and procedures. However, TCCC reserves the right to change, revise, withdraw, or add to its policies, processes, procedures, or guidance at any time, at its sole discretion, with or without notice if necessary, in accordance with applicable law and regulations by providing such notice as may be required by applicable law. If there is any discrepancy between local law and the content of this policy, local law or labor agreements will always govern and be binding. This policy does not create any contractual rights or obligations, whether express or implied

 

Notice of Disclaimer - Contract of Employment 

TCCC's policies and associated processes, procedures, and guidance are not contracts of employment nor are they intended to create contractual rights or obligations for TCCC. The terms of this policy do not create a contract of employment or alter the at-will employment relationship between the Company and Employees in all jurisdictions where employment at-will is permitted, to the extent that there are no inconsistencies. In the event of any inconsistency between this policy and the contract of employment, the contract of employment will govern to the extent of the inconsistency and remaining provisions of this policy will continue to apply. In instances where a contract of employment exists, the terms of this policy are not incorporated into an employee's contract of employment with the Company