The Coca-Cola Company Global Privacy Policy

The Coca-Cola Company, its affiliates, divisions, business units, controlled subsidiaries and entities in
which it either owns a majority interest or manages operations (collectively referred to as “TCCC” or
“we”) are committed to protecting and respecting individual privacy.
This Privacy Policy (“Policy”) sets out the minimum basis for TCCC and its Personnel to follow
anytime we do anything with Personal Data.
SCOPE:
This policy applies to all TCCC Personnel.

CONTENTS
1. Key Terms and Definitions
2. Basic Principles of Data Processing
3. Purpose of Data Processing and Justification Basis
4. Accountability
5. Information Obligations
6. Accuracy of Data
7. Transfers of Personal Data to Third Countries
8. Storage and Erasure of Personal Data
9. Third-Party Processors
10. Third-Party Recipients
11. Minors
12. Complaint Handling/Enforcement Process
13. Data Security and Confidentiality
14. Data Breaches and Security Incidents
15. Relationship between this Policy and Applicable Data Protection Law
16. Implementation of and Modifications to this Policy
17. Related Policies, Processes, and Guidelines
 1. Key Terms and Definitions

• “Applicable Data Protection Laws” means all applicable laws and regulations in relation to
data security and privacy.
• “Code of Business Conduct” means TCCC’s global policy which requires employees, suppliers
(including contingent workers), and non-employee directors to conduct themselves in an
appropriate manner within and outside the Company to help maintain its reputation, integrity,
and standards for ethical conduct;
• “Individual” means anyone who can be identified, directly or indirectly, by reference to an
identifier such as name, identification number, location data, online identifier or to one or more
separate or combined factors specific to physical, physiological, genetic, mental, economic,
cultural or social identity;
• “Personal Data” means any information Processed by or on behalf of TCCC that relates to an
Individual;
• “Personal Information” shall have the same meaning as “Personal Data”;
• “Personnel” means all full-time or part-time employees at every level of the Company, interns,
trainees, contingent workers, and any other workers of any kind who perform work or services
for or on behalf of TCCC, including Service Providers;
• “Processing” or “Process” or “Processed” means any operation or set of operations which is/are
performed on Personal Data or on sets of Personal Data, whether or not by automated means,
including (but not limited to) collection, analysis, recording, organization, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or destruction;
• “Sensitive Personal Data” means any Personal Data revealing financial account information
(including bank account information), credit card or debit card information, tax identification
numbers, government identification numbers, racial or ethnic origin, political opinions, religious
or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose
of uniquely identifying an Individual (e.g. fingerprints), data concerning health, data concerning
an Individual’s sex life or sexual orientation, and Personal Data relating to criminal convictions
and offences;
• “Service Provider” means any company not a controlled subsidiary or affiliate of TCCC, which
processes Personal Data on behalf of, or as directed by TCCC (such as, for example, to provide
services or product offerings).
• “Third-Party Processors” means organizations or companies not a subsidiary or affiliate of
TCCC (including Service Providers), which Process Personal Data on behalf of, or as directed by
TCCC.

2. The Basic Principles of Data Processing

At TCCC, we adhere to the following general principles when Processing Personal Data:
• Principles of lawfulness, fairness and transparency: We Process Personal Data in accordance
with applicable legal regulations, in a manner that recognizes Individual interests, and in a
manner that is open to the Individual;
 • Principle of purpose limitation: We collect Personal Data for specified, explicit and legitimate
purposes and do not Process Personal Data in a manner incompatible with those purposes;
• Principle of data minimization: We Process Personal Data that is adequate, relevant and
limited to what is needed;
• Principle of accuracy: We take measures to keep Personal Data as accurate as possible;
• Principle of storage limitation: We maintain Personal Data as set forth in our applicable
retention periods or as otherwise required by law;
• Principle of integrity and confidentiality: We Process Personal Data in a manner that considers
appropriate security, including protection against unauthorized or unlawful Processing and
against accidental loss, destruction or damage;
Any person acting under the authority of TCCC, who has access to Personal Data, will not Process those
Personal Data except on instructions from TCCC and in compliance with relevant law.

3. Purposes and Justification of Data Processing

3.1 We Process Personal Data for the following purposes:
• To provide products and services as requested by customers and consumers, including Individual
registration and participation in marketing promotions, events, and campaigns;
• To comply with employment and labor laws, regulations, and requirements;
• To protect and enhance the security and safety of TCCC and Individuals including customers,
consumers, business partners, and Personnel;
• To send or personalize marketing communications to Individuals;
• To run data analytics to derive trends and improve products, marketing campaigns, consumer or
customer experience, employee engagement and productivity, and consumer, customer and
employee services;
• To communicate with Individuals including Personnel, business partners, consumers and other
stakeholders;
• To safeguard the uninterrupted continuity of business operations;
• To carry out an intended sale, merger, or acquisition or other corporate transaction;
• To comply with legal requirements; or
• For other purposes allowed under Applicable Data Protection Law
3.2 When the abovementioned Processing activities legally require an Individual’s consent, we will
obtain clear and explicit consent from the Individual.
3.3 We will not Process Sensitive Personal Data, except where:
• The Individual has given his/her clear and explicit consent to the Processing;
• Processing is necessary for the purposes of carrying out TCCC’s legal obligations and exercising
specific rights of TCCC or of the Individual (i.e., in the areas of employment, social security, and
applicable government benefits reporting laws);
 • Processing is necessary to protect the Individual’s legal interests and the Individual is physically
or legally incapable of giving consent; and/or
• Processing is necessary for the establishment, exercise or defense of legal claims or whenever a
regulatory body, agency, or judicial authority requires this in its official capacity.

4. Accountability
4.1 TCCC and its Personnel will monitor and document TCCC’s compliance with this Policy and
Applicable Data Protection Laws on an ongoing basis.
4.2 TCCC and its Personnel are responsible for demonstrating that they have taken appropriate
technical and organizational measures to ensure and able to demonstrate that Processing is performed in
accordance with this Policy and any Applicable Data Protection Law.

5. Information Obligations
5.1 When we collect Personal Data from an Individual and where required by Applicable Law, we
will provide a privacy notice which may, subject to the Applicable Data Protection Law, include the
following information:
• The purpose for TCCC’s Processing of Personal Data;
• Other recipients of Personal Data (such as Service Providers);
• Contact information for the Individual to direct questions or request access, rectification,
deletion, portability, or restriction of Processing of Personal Data;
• Where Processing is based on consent, the Individual’s right to withdraw consent at any time,
without affecting the lawfulness of Processing based on consent before its withdrawal; and
5.2 In instances where we provide a privacy notice and intend to Process Personal Data for a purpose
other than that for which the Personal Data was collected, we shall provide the Individual with notice
prior to further Processing. If required by Applicable Data Protection Law, we will also collect consent
prior to further Processing.
5.3 We shall provide the information in a transparent, intelligible and easily accessible form, using
clear and plain language, either in writing or by electronic means.

6. Accuracy of Data
We shall take reasonable steps to maintain the accuracy of the Personal Data and will delete or correct
any identified inaccurate Personal Data without undue delay. As part of our principles of data processing
and subject to the applicable data retention policy and procedure, we erase Personal Data that is no
longer necessary in relation to the purposes for which it has been collected or otherwise Processed.

7. Transfers of Personal Data to Third Countries

We shall ensure that the transfer of Personal Data to third countries will be done in compliance with the
provisions of Applicable Data Protection Laws, such as through cross-border data transfer agreements.
8. Storage and Erasure of Personal Data
8.1 TCCC will retain Personal Data in a manner consistent with its legal obligations and consistent
with its data retention policies and procedures.
8.2 Notwithstanding TCCC exception processes, any Sensitive Personal Data shall be encrypted at
rest and in motion using TCCC-approved encryption methods.
8.3 The TCCC Chief Privacy Officer must be consulted in case of any conflict between applicable
retention schedules for Personal Data and Applicable Data Protection Law.

9. Third-Party Processors
9.1 We only work with Third-Party Processors that provide sufficient guarantees to implement
appropriate technical and organizational measures that allow TCCC to meet its legal obligations under
Applicable Data Protection Law. We conduct appropriate data security due diligence on potential Third-
Party Processors and monitor for compliance with Applicable Data Protection Law and this Policy
through contractual assurances, questionnaires, audits, or other due diligence measures. Where we have
knowledge that a Processor is using, disclosing or otherwise Processing Personal Data in a manner
contrary to these assurances, we will take reasonable steps to prevent or stop the use, disclosure or other
Processing.
9.3 We will only work with Third-Party Processors through a written contract that sets out:
• Confidentiality requirements on part of the Third-Party Processor;
• Third-Party Processor’s obligation to notify TCCC in the event of a data breach and to provide
subsequent cooperation in reporting and remediation;
• Third-Party Processor’s technical and organizational measures to ensure appropriate security to
Process Personal Data;
• Reason for and duration of Processing, type(s) of Personal Data Processed, types of
individuals/data subjects (e.g., employees, consumers, etc.), and TCCC’s obligations and rights;
• Processor’s willingness to assist TCCC in complying with its legal obligations, including
assistance with applicable data subject rights, notifying TCCC when the Processor reasonably
believes that there has been any unauthorized or accidental access, acquisition, loss, disclosure,
destruction or damage to Personal Data, and informing TCCC of any inspection, audit, or inquiry
made by a data protection authority or regulatory body tasked with data protection enforcement.

10. Third Party Recipients

We will disclose Personal Data to third parties only in compliance with Applicable Data Protection Law.

11. Minors
Per its guidelines, TCCC will not target minors under the age of 12 with its marketing activities.
Where the collection and Processing of Personal Information from minors requires consent (per the
Applicable Data Protection Law), TCCC will take reasonable steps to ensure that parental consent is
first obtained for any submission of Personal Information for minors under the age (per the applicable
laws of a country) required for granting valid consent to the Processing of PI. Where stricter measures
are required under applicable law, TCCC will comply with these stricter requirements.

12. Complaint Handling/Enforcement Process

12.1 Non-compliance with this Policy is considered a violation of the TCCC Code of Business
Conduct and may result in disciplinary actions, dismissal, or any other type of sanction permitted by
applicable law.
12.2 If at any time any person subject to this Policy believes that Personal Data are or have been
Processed in violation of this Policy, he or she may report the concern to the TCCC Chief Privacy
Officer by e-mail at [email protected]; the local TCCC Legal office and/or the local Data
Protection Officer in their respective Business Unit; the local Human Resources office; or the Ethics &
Compliance Office at [email protected].
12.3 If any Personnel believes that he or she is not able to comply with this Policy because of legal
requirements or instructions given to him or her, he or she should immediately report that information to
the Privacy Office, the Ethics & Compliance Office, or to their Local Ethics Officer (“LEO”). The
TCCC Privacy Office, in cooperation with other appropriate Personnel, will take necessary and
appropriate steps and provide additional relevant guidance.

13. Data Security & Confidentiality

13.1 TCCC and its Personnel will take appropriate and commercially reasonable technical and
organizational measures to protect Personal Data against unauthorized or accidental access, acquisition,
loss, disclosure, destruction or damage. Technical measures are those that directly involve TCCC’s IT
system. Organizational measures relate to the system’s environment and particularly to the Personnel
who may come into contact with Personal Data.
13.2 Personnel who need access Personal Data are required to be bound by contract, TCCC Code of
Business Conduct, Applicable Data Protection Laws, and/or relevant policies that protect the
confidentiality of an Individual’s Personal Data.

14. Data Protection Breaches and Security Incidents

14.1 If at any time Personnel becomes aware of any breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data or believes
that Personal Data is or has been Processed in violation of this Policy, s/he should immediately report
the concern to [email protected].
14.2 TCCC will inform affected Individuals without undue delay of any breach of security of their
Personal Data where legally required and shall provide all necessary information required by Applicable
Data Protection Laws.

15. Relationship between this Policy, Regional Policies and Applicable Data Protection Law
We recognize that certain laws may impose requirements stricter than those described in this Policy.
We will handle Personal Data in accordance with Applicable Data Protection Law. Where Applicable
Data Protection Law provides a lower level of protection of Personal Data than established by this
Policy, then the requirements of this Policy shall apply. Similarly, where a regional TCCC policy
establishes the minimum criteria for Processing of Personal Data, that regional TCCC policy shall take
precedence over this Policy.

16. Implementation of and Modifications to this Policy

16.1 This Policy was enacted January 2007 and last amended February 2017. This amended Policy is
effective as of March 8, 2019. This Policy will be available on the TCCC Intranet. Each TCCC
Personnel is obliged to take notice and review the Policy, including any amendments.
16.2 TCCC reserves the right to modify this Policy as needed, for example, to comply with changes in
laws, regulations, TCCC practices and procedures, or requirements imposed by data protection
authorities. TCCC will post all changes to this Policy on relevant internal websites.

17. Related Policies, Processes, and Guidelines

• Information Protection Policy
• Data Classification Guide
• E.U. Privacy Policy
• Privacy FAQ