Data protection

Coca-Cola HBC Schweiz AG
Stationsstrasse 33
8306 Brüttisellen

Personal data is all data containing information about personal or factual circumstances, such as name, address, e-mail address, telephone number, date of birth, age, gender, etc.

We collect, process and store your personal data when you visit our website, when you contact us, for using our services and for operating and improving our website. 

These are generally processed and stored to the extent that this is necessary for the fulfillment of contractual or legal obligations if you buy something from us (see also Art 6 Para 1 lit b and c GDPR). 

If processing is necessary to protect our legitimate interests or those of a third party and if this interest does not outweigh your interest in confidentiality, we base the processing of your personal data on our legitimate interests (see also Article 6 Paragraph 1 lit f GDPR). 

We delete or store your personal data protected against access as soon as the purpose of the processing no longer applies, provided that we, as the data controller, have not been imposed a legal obligation to store the data beyond the period of time the purpose has been fulfilled. Furthermore, we reserve the right to store your personal data for as long as specific legal claims are asserted against us and in case that no legal obligation has been imposed on us as the data controller to store the data beyond the period of time when the purpose has been fulfilled.

In the following we inform you in detail about the scope and purpose of the processing of the data as well as about the transmission of your data to third parties.

3.1. Visiting the website

Personal data is processed when you visit our website.

3.1.1. Scope of data processing

When you access our website, we automatically collect and store information in so-called server log files, which your browser automatically transmits to us. These are:

• browser type

• browser version

• operating system used

• Referrer URL

• Host name of the accessing computer

• Date and time of the server request

• your IP address

• Location

3.1.2. Purpose of data processing

We process this data for the purposes of logging system use, the authorization process and evaluating the server log files for problem analysis. If you do not provide us with your data, it may be the case that access is not possible.

3.1.3. Legal basis of data processing

The processing of the data mentioned is in our legitimate interest as the operator of the website (see also Article 6 Paragraph 1 lit f GDPR). In principle, the individual data sets are not merged, but we reserve the right to check the data if we become aware of specific indications of illegal use, in particular malicious attacks.

You can object to the processing of your personal data at any time, stating reasons. Please address your revocation to DataProtectionOffice@cchellenic.com.

3.1.4. Recipient of the data

We use Costa Limited, Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG, Great Britain as a service provider to operate our website, including hosting, and to ensure the security of our IT systems, who may have access to your personal data in the course of your work. If necessary, sub-service providers are used. If your personal data is transferred to third countries, the service provider is contractually obliged to always ensure the protection of your personal data, to take appropriate technical and organizational measures with regard to the security of the data and under no circumstances to process or transfer your data for its own purposes.

Furthermore, we reserve the right to forward the data collected for this purpose to the competent authorities and courts if there is reasonable suspicion. This is due to our legitimate interest in proper legal prosecution (see also Art 6 Para 1 lit f GDPR). 

3.1.5. Storage duration

The data collected here will be stored for a period of two years. If we have reasonable suspicion of abusive behavior and forward the data to the responsible public authorities, this data will be stored on a separate data medium and deleted after the legal prosecution has ended.

3.2. Contact initiation

3.2.1. Scope of data processing

We only process your personal data to the extent necessary to process your contact request. This may include names, addresses, e-mail addresses, phone numbers or other personal data you are providing us with.

3.2.2. Purpose of data processing

The processing of your data in the context of initiating contact serves the sole purpose of offering easier communication with concrete answer options to process communication as efficiently and quickly as possible. Of course, we have taken all technical and organizational measures to ensure the security of your data.

3.2.3. Legal basis of data processing

The processing of this data takes place in fulfillment of the (pre-) contractual measures (see also Art 6 Para. 1 lit b GDPR), provided that the contact serves to initiate business. For other purposes, in particular to simply obtain information about our products, processing takes place on the basis of our legitimate interest. 

If the required data is not provided, we will unfortunately not be able to answer your request.

3.2.5. Storage duration

Data that we collect as part of your contact will be stored by us for the purpose of processing your request for as long as reasonably necessary after the last contact. In addition, the data will be kept for as long as concrete claims are asserted against us. If we have reasonable suspicion of abusive behavior and forward the data to the responsible public authorities, this data will be stored on a separate data medium and deleted after the legal prosecution has ended.

3.2.6. Recipient of the data

The personal data you provide to us based on your contact initiation will be held in a Data center hosted in Crawley, UK, by a company named Rackspace, whose secondary site is in Ireland, and can be accessed by or given to our staff working outside UK and to third parties, to business partners, government bodies and law enforcement agencies, successors in title to our business and suppliers we engage to process data on our behalf, some of whom are located outside the European Economic Area, who act for us for the purposes and justifications set out in this policy.

Categories of the recipient:
companies within the group of companies of Coca-Cola HBC Switzerland Ltd and/or Coca-Cola Switzerland LLC and/or third-party service providers that process data on our behalfor are involved to provide the services you requested

Purpose of the sharing:
to provide our products and services

Categories of the recipient:
government bodies

Purpose of the sharing:
to fulfil a legal obligation

Categories of the recipient:
successors in title to our business and suppliers

Purpose of the sharing:
performance of the services you requested

If you submit personal information to us, you agree to such sharing.

As a person affected by our data processing, you have the following rights in principle:

4.1. Right to information

You have the right to request informal information at any time about which of your personal data is being processed by us as the data controller - together with further information such as the processing purposes and recipients, information about the origin of the data and information about automated decision-making including the logic involved. Furthermore, you have the right to request information as to whether the personal data concerning you is being transmitted to a third country or to an international organization, including the right to information about the appropriate guarantees (see also Article 46 GDPR).

4.2. Right to rectification and right to restriction of processing

You can request the correction or completion of incorrect or incomplete data. You also have the right to request that the processing of data be restricted so that it is only carried out with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest may be processed if, for example, the accuracy of the data is disputed.

4.3. Right to data portability

You can request that you - or, if this is technically feasible, an identifiable third party - be sent a copy of the data, insofar as they have been made available to us, in a structured, common and machine-readable format.

4.4. Right to Erasure

You can request that your data be erased in certain circumstances, for example if it is not being processed in accordance with data protection regulations.

4.5. Right to object

You have the right to object to the processing of your personal data at any time, stating reasons. In this case, we will no longer process the personal data relating to you, unless we can cite and prove compelling legitimate grounds for processing that outweigh your interests, or the processing serves to assert, exercise or defend legal claims.

4.6. Right to revoke your declaration of consent

You have the right to revoke your declaration of consent under data protection law at any time and without giving reasons by sending an email to DataProtectionOffice@cchellenic.com. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation. We will delete your data immediately, provided that no legal provisions require storage.

4.7. Supervisory authority

You have the right to file a data protection request with the Swiss federal data protection authority. The respective contacts can be found here.

We reserve the right to adapt this data protection declaration at any time in compliance with the applicable data protection regulations. Users are asked to inform themselves regularly about the content of the data protection declaration.

November 2022