Welcome to the Coca‑Cola Consumer Privacy Policy (Privacy Policy).

This Privacy Policy was posted and is effective for new users on [public posting date], 2024.

The prior versions of Coca‑Cola’s privacy policies apply until [public posting date + 10 days] and are available upon request to privacy@coca-cola.com.

The Privacy Policy applies to the personal information collected from users of the Services in which the Privacy Policy is posted or linked, when the Privacy Policy is specifically referenced in the Services or when Coca‑Cola asks you to acknowledge it. This Privacy Policy also covers personal information that we collect from consumers who contact us by email, telephone and offline, such as during an in-person event.

This Privacy Policy also may apply to personal information provided to us by consumers who engage with us through social media. Please contact us at Privacy@coca-cola.com if you have questions about whether this Privacy Policy applies to specific personal information connected with social media. This Privacy Policy does not apply to websites and other online services operated by other organizations. Those other websites and services follow their own privacy policies, not this Privacy Policy. Please make sure to check those privacy policies so you know how your information is handled.

a. Information you choose to give us We collect the personal information you choose to share with us.

The personal information that you choose to give to us typically includes the following types of personal information. Please review below to learn more about the categories of personal information that Coca‑Cola collects and why it is collected: Contact and account information Coca‑Cola requests your first and last name, email address or mobile telephone number and date of birth to create an account on the Services. We also may collect username and password, age, mailing address, government-issued identifier and similar contact information.

• To maintain your online account if you choose to create one

• To verify identity and eligibility for certain Services

• To customize your experience of the Services

• To offer access to exclusive content, discounts and other opportunities

• To administer a sweepstakes, contest or other promotion or a loyalty program

• To complete a purchase and deliver products

• To send information that we think will interest you, which is sometimes personalized based on the information associated with your account

• To request your feedback, such as through a survey about a new product

• To respond to your questions and provide customer service

• For research and innovation

• When you attend an in-person event, such as events sponsored or hosted by Coca‑Cola or product sampling

User Generated Content (UGC) Coca‑Cola collects the posts, comments, opinions, voice recordings, photos and videos that you choose to submit through the Services

• To monitor online communities

• To record and act on your comments and opinions, such as in surveys, customer service inquiries and other free-form text boxes

• To administer your participation in promotions that include submission of UGC

• In connection with participation in specific promotions or other Services, such as Coca‑Cola’s smart coolers.

Photos, voice recordings and videos that you choose to share may constitute biometric data under some laws. Coca‑Cola collects biometric data only with your specific consent. Information associated with an account on a social media platformWhen you connect or log into the Services through your social media account, such as Meta and Twitter, we collect the personal information permitted by the social media platform and your account permissions, such as profile photo, email, like and interest and friends, followers or similar lists.

• To personalize your experience of the Services

• To respond to your comments and inquiries posted on a social media platform and analyze communications (such as tweets or posts) with or about Coca‑Cola to better understand how consumers view Coca‑Cola

(If you decide later that you do not want to provide us with information from your social media account, then please adjust the privacy settings in your social media account.)Location DataWe collect precise geolocation ( aka GPS) data when permitted through our Apps when you choose to allow it through your mobile device’s operating system and otherwise with your consent, as required. Approximate location from an IP address or connections to WiFi, Bluetooth or a wireless network service is automatically collected when you use the Services.We collect this location data:

• To customize your experience of the Services

• To let you know when products, promotions or events are available near you or allow other users to see your location when you choose to allow it

• To send geographically-relevant advertising

Other Personal information shared through the Services

• To administer online communities

• To manage promotions and other features of the Services that allow you to share your personal information

b. Information about use of our Apps When you download and install one of our Apps, the information that we collect depends on your mobile device’s operating system and permissions. Our Apps need to use certain features and data from your mobile device in order to function. For example, if you want a seamless online to App experience we need to collect and link information from your web browser.To learn more about the specific information collected by an App, please check your device settings or review the permissions information available on the particular platform (e.g., Google Play and the App Store) from which you downloaded the App. Certain Apps also allow you to check or change your status for certain data collection in the App settings. If you change your settings, certain App features may not function properly. To stop collection of all information through an App, please uninstall the App.c. Information automatically collected during use of the Services We automatically collect certain information from and about use of the Services from users’ computers and mobile devices. Some automatically-collected information is personal information under certain laws. This information is automatically collected using cookies, pixel, web beacons and similar data collection technology (collectively, data collection technology).

d. Information collected from third parties From time to time, we receive personal information from third parties that we use to learn more about our users, personalize user experience and more effectively promote and improve the Services.

The types of personal information that we receive from third parties are:

• Personal information associated with purchases. Payment card purchases are processed by third-party payment processors. Coca‑Cola does not have access to complete bank account numbers, credit card numbers or debit card numbers.

• Personal information that is commercially available from marketing services providers or collected by marketing partners through campaigns and events, which is used to help identify individuals who may be interested in learning more about Coca‑Cola and to supplement personal information we already have. This personal information includes insights from matching our pseudonymized data sets with third parties’ pseudonymized data sets, including though data clean rooms (see also Section 4 below).

• Personal information that we receive from the third-party advertising partners that help us provide more relevant advertising

• Personal information shared with Coca‑Cola by bottler partners

• Personal information from publicly-available sources

• Personal information from law enforcement and other government authorities (but only in rare cases)

We may combine information that Coca‑Cola has about you or combine data from third-party data sources. We require that each third-party data provider confirm that its sharing of personal information with Coca‑Cola is transparent to consumers and otherwise lawful.

e. Other information collected with your consent We may ask you for your consent to collect specific types of personal information so that you can participate in new activities, receive exclusive content or test new features. Under some privacy laws, Coca‑Cola is required to obtain consent before collecting and using personal information. Please see Section 9 for details.

Coca‑Cola uses personal information to provide and improve the Services, manage our business, protect users and enforce our legal rights.

We use personal information to provide, personalize and improve the Services (in each case as permitted by applicable law), including:

• To create and update users’ accounts and fulfill users’ requests

• To centralize consumers’ personal information in a database managed by a third party on our behalf and append information collected from third parties

• To send marketing and non-marketing communications to users

• To enable communications among users, such as an online community

• For targeted advertisements (also sometimes referred to as personalized or interest-based advertising) based on information generated by a user’s online activity, such as visiting websites that contain our advertising partners’ ads or cookies, some of which are based on geo-location.

• To learn more about our users so we can recommend content that we think will interest particular users

• In particular, we develop insights about users by participating in ‘data clean rooms.’ Through a data clean room, we run queries and extract outputs and insights from data offered by third parties that also participate. Data used in data clean rooms is shared by other businesses and participants in a format that does not directly reveal or expose personal information; instead, before matching, an identifier is created and used to match the third-party data sets with Coca‑Cola’s pseudonymized personal information. (Using personal information for the purpose of creating pseudonymized data involves prior profiling of data sets.) After the matching process, we receive aggregated information about our audience that does not allow for enrichment of individual data sets unless we inform you or otherwise obtain separate consent. Data sharing in data clean rooms is for the purpose of audience discovery, audience expansion, audience targeting and look-alike audience modelling.

• For promotion and loyalty program administration

• For customer service

• For facilitating payment

• To analyze how users interact with the Services and activity trends so that we can develop new features and content that meet our consumers’ expectations

• To improve the Services and users’ experience of them

• For data analytics, research, product development and machine learning that enable us to better understand our consumers and offer innovations for them

• For monitoring and testing the Services, including to troubleshoot operational problems

• To create anonymized data, which are not subject to this Privacy Policy, that are used in improving Coca‑Cola’s products and services and similar business purposes and otherwise as permitted by contract and law

• To detect and protect against fraud, abusive and unauthorized use of the Services

• For risk management and similar administrative purposes, such as to monitor and enforce compliance with user agreements and otherwise comply with laws applicable to Coca‑Cola

We use cookies and other data collection technology to recognize you and/or your device(s) when you use the Services and collect personal information about you. In some rare cases, there may be some websites that are part of the Services which have specific notices about cookies and other data collection technology that apply to specific websites and consumers. If you visit a Coca‑Cola website with a notice about cookies, then that website’s cookie notice applies.

What are cookies?

Cookies are small text files that are sent to or accessed from your web browser or your computer's hard drive. A cookie typically contains the name of the domain (internet location) from which the cookie originated, the “lifetime” of the cookie (i.e., when it expires) and a randomly generated unique number or similar identifier. A cookie also may contain information about your computer or device, such as settings, browsing history and activities conducted while using the Services. Coca‑Cola also uses “pixels” (sometimes called web beacons). Pixels are transparent images that can collect information about email opens and website usage across websites and over time. Cookies that Coca‑Cola sets in the Services are called first-party cookies. Cookies set in the Services by any other party are called third-party cookies. Third-party cookies enable third-party features or functionality on or through the Services, such as analytics and marketing automation. The parties that set third-party cookies can recognize your device both when you use it to access the Services and also when you use it to visit certain other websites. To learn more about cookies generally, visit www.allaboutcookies.org. Some web browsers (including Safari, Internet Explorer, Firefox and Chrome) incorporate a “Do Not Track” (DNT) or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser blocks that website from collecting certain information from the browser cache. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many website operators, including Coca‑Cola, do not yet respond to DNT signals.

Why does Coca‑Cola use cookies and other data collection technology?

Some cookies are required for the Services to operate. Other cookies enable us to track the interests of users for targeted advertising and to enhance the experience of the Services. The types of cookies served on through the Services and why they are used is as follows:

• Strictly necessary cookies are required for the Services to operate.

• Performance or Analytics cookies collect information about how the Services are used so we can analyze and improve the Services. Performance or analytics cookies typically remain on your computer after you close your browser until you delete them.

• Advertising cookies are used to make advertising messages more relevant to you by helping us display advertisements that are based on your inferred interests, prevent the same ad from appearing too often and ensure that ads are properly displayed for advertisers.

• Social media cookies allow users to interact more easily with social media platforms. We do not control social media cookies and they do not allow us to gain access to your social media accounts without your permission. Please refer to the relevant social media platform’s privacy policy for information about the cookies used.

Data collection technology enables Coca‑Cola to monitor the traffic patterns from one webpage to another, to deliver or communicate with cookies, to understand whether users visit the Services after seeing our online advertisement displayed on a third-party website, to improve performance of the Services and to measure the success of our email marketing campaigns. Coca‑Cola’s Cookie Policies (available in certain jurisdictions) describe Coca‑Cola’s use of data collection technology. Google Products Where permitted by applicable law, the Services use Google Analytics for targeted advertising (which Google sometimes refers to as ‘remarketing’). Google uses cookies that Google recognizes when consumers visit various websites. The data collected through Google’s cookies helps Coca‑Cola analyze how the Services are used and, for some Services and in some jurisdictions, to personalize marketing communications and digital advertising.

The Services also embed videos from YouTube (a Google company) by framing. This means that, after you click the button to play a YouTube video through the Services, a connection between the Services and the YouTube servers is established. Then, an HTML link provided by YouTube is inserted into the code of the Services to create a playback frame. The video stored on the YouTube servers is then played by the frame in the Services. YouTube also receives information that informs YouTube that you are currently using the Services: your IP address, browser information, the operating system and settings of the device you are using, the URL of the current web page, previously-visited web pages if you have followed a link, and the videos you watched. If you are logged into your YouTube account, the information may be associated with your YouTube user profile. You can prevent this association by logging out of your YouTube account before using the Services and deleting the corresponding cookies. For more information about how Google collects, uses and shares your information, please visit Google’s Privacy Policy For more information about how Google uses cookies in advertising, please visit Google’s Advertising page. To prevent Google Analytics from using your data, you can install Google’s opt-out browser add-on. To opt out of ads on Google that are targeted to your interests, use your Google Ads settings. If you are located in the EEA, Switzerland or UK, please note in particular that, if you allow Google’s cookies in Coca‑Cola’s Privacy Preference Center, the information generated by those cookies about use of the Services is transmitted to and stored by Google on servers in the United States. Coca‑Cola used technology tools, including Google’s IP Anonymization tool, to exclude the last part of your IP address before the data is transferred by Google to the United States, as well as Google’s tools for deactivation of data sharing and Google signals and User-ID settings in Google Analytics for certain jurisdictions. Google will not associate an IP address with any other data held by Google. On behalf of Coca‑Cola, Google will use the data described above to compile reports that help Coca‑Cola operate and provide the Services. Meta Products Some part of the Services use products and features offered by Facebook, Instagram and Messenger and Facebook apps (Meta Products). The Meta Products use tags, pixels (the Meta Pixel) and other unique tracking codes and technology that collect user information (including personal information) from the Services. Facebook tracks user interactions with the Services after a user clicks on an ad placed on Facebook or other services provided by Meta (called a conversion) and enables Coca‑Cola to learn more about how users engage with ads and similar information. The Meta Products use the collected data for Meta’s own purposes, including to improve the Meta Products. Meta may transfer data that it collects from the Services to the USA and other countries, where you may have fewer rights to related to your personal information. To learn more about how the Meta Products collect, use and process personal information and how you can manage or delete personal information about you, please see the Privacy Policy for the Meta Products at https://www.facebook.com/about/privacy.

Your Cookie Choices

You can set your browser to refuse all cookies or to indicate when a cookie is set. (Most browsers accept cookies automatically but allow you to disable them but note that some features of the Services may not work properly without cookies.) As noted above, Google has developed an opt-out browser add-on if you want to opt out of the cookies used for Google Analytics. You can download and install the add-on for your web browser here. You may refuse the use of these cookies by selecting the appropriate settings on your browser. To learn more about how to view and manage your information on the Meta Products, please see here. Certain jurisdictions in which the Services are available also have cookie policies which are separate from and supplement this Privacy Policy and tools to manage cookies. Please refer to Section 9 for details.

Coca‑Cola shares personal information with people and businesses that help operate the Services and carry out our business and when we are legally permitted or required to do so. We also share personal information when a user requests that we share it. We require that recipients of personal information from us comply with this Privacy Policy unless and until users are made aware that a different privacy policy or notice will apply.

Coca‑Cola shares personal information with the following categories of recipients:

• Professional advisors, such as lawyers, accountants, insurers and information security and forensics experts.

• Marketing vendors that help promote the Services (such as by email marketing) and from time to time supplement personal information that we already have. For example, Meta receives and uses certain data related to the use of the Services to help us deliver personalized advertising on its platform and assess the effectiveness of this advertising.

• Service providers to enable them to perform services on our behalf, including data analytics, data security, ecommerce operations, surveys, research, administration of promotions, offers and loyalty programs and otherwise to help us carry out our business. Some of these service providers have global responsibilities.

• For strategic partnerships, such as with sports leagues and manufacturers and other providers of complementary offerings.

• Through data clean rooms as described in Section 4. Data sharing in a data clean room is for the purpose of audience discovery, audience expansion, audience targeting and look-alike audience modelling.

• Cloud storage providers.

• Potential or actual acquirers or investors and their professional advisers in connection with any actual or proposed merger, acquisition or investment in or of all or any part of our business. We will use our best efforts to ensure that the terms of this Privacy Policy apply to personal information after the transaction or that users receive advance notice of changes to personal information processing.

• Coca‑Cola affiliates and bottler partners.

• Competent law enforcement, government regulators and courts when we believe disclosure is necessary (i) to comply with the law, (ii) to exercise, establish or defend legal rights, or (iii) to protect the vital interests of users, business partners, service providers or another third party.

• Other third parties with your permission.

If we share personal information, we require that the recipients handle personal information in compliance with this Privacy Policy and our confidentiality and security requirements.

Coca‑Cola takes care to secure and safeguard the personal information entrusted to us. We use a variety of measures to help us protect personal information from unauthorized access and use.

Coca‑Cola uses technical, physical, and administrative safeguards intended to protect the personal information that we process. Our safeguards are designed to provide a level of security appropriate to the risk of processing your personal information and include (as applicable) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and a procedure for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of personal information. Coca‑Cola cannot, however, fully eliminate security risks associated with the processing of personal information.

You are responsible for maintaining the security of your account credentials. Coca‑Cola will treat access to the Services through your account credentials as authorized by you.

Coca‑Cola may suspend your use of all or part of the Services without notice if we suspect or detect any breach of security. If you believe that information you provided to Coca‑Cola or your account is no longer secure, please notify us immediately at Privacy@coca-cola.com. If we become aware of a breach that affects the security of your personal information, we will provide you with notice as required by applicable law. When permitted by applicable law, Coca‑Cola will provide this notice to you using the email address associated with your account or another permitted method associated with your account.

UNAUTHORIZED ACCESS TO PERSONAL INFORMATION THROUGH THE SERVICES – INCLUDING SCRAPING – IS PROHIBITED AND MAY LEAD TO CRIMINAL PROSECUTION.

We retain personal information about a user for as long as user’s account is active and otherwise as long as necessary for the purposes described above. We also retain personal information as long as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

We intend to keep your personal information accurate and up-to-date. We retain the personal information that we handle subject to this Privacy Policy in accordance with our data retention policy. When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you and mandatory retention periods under applicable law. At the end of relevant retention period, we either delete or anonymize personal information or, if we cannot delete or anonymize personal information, then we segregate and securely store personal information until deletion or anonymization is possible.

Once we anonymize personal information, it is no longer personal information. We use anonymized data subject to applicable law and contracts.

You can make choices about Coca‑Cola’s handling of your personal information. You can exercise your privacy rights by contacting Coca‑Cola as described in this Section 9 or using various tools available through your browser or that Coca‑Cola makes available. In some cases, your ability to access or control your personal information is limited by applicable law.

Mobile Device Preferences

Mobile operating systems and app platforms (e.g., Google Play, App Store) have permission settings for specific types of mobile device data and notifications, such as for access to contacts, geo-location services and push notifications. You can use the settings on your mobile device to consent to or deny certain information collection and/or push notifications. Certain Apps also may have settings that allow you to change permissions and push notifications. For some Apps, changing settings may cause certain aspects of the App to not functional properly.

You can stop all information collection from an App by uninstalling the App. If you uninstall the App, please also consider checking your operating system’s settings to confirm that the unique identifier and other activity associated with your use of the App is deleted from your mobile device.

Opting out of Coca‑Cola’s Emails and Text Messages

To stop receiving promotional emails from Coca‑Cola, please click the “Unsubscribe” link at the bottom of the email. After you opt out, we may still send you non-promotional communications, such as receipts for purchases or administrative information about your account.

Your account settings also may allow you to change your notification preferences, such as push notifications from an App.

To stop receiving promotional text messages (SMS or MMS), please send a reply text message indicating that you wish to stop receiving promotional text messages from us – such as by testing the word “Stop”. You also may let us know as directed below in the “Contacting Us” section. Please specify which types of communications you no longer wish to receive together with the relevant telephone number, address, and/or e-mail address. If you do opt-out of receiving marketing-related messages from us, we may still send you important administrative messages, such as emails about your accounts or purchases

INFORMATION ABOUT PRIVACY RIGHTS AND CHOICES FOR SPECIFIC JURISDICTIONS IS PROVIDED IN SECTION 13 AT THE END OF THIS PRIVACY POLICY. WE ENCOURAGE YOU TO REVIEW THE RELEVANT SECTIONS.

IF YOU ARE LOCATED IN A JURISDICTION WITH PRIVACY LAWS THAT OFFER YOU PRIVACY RIGHTS NOT DESCRIBED IN THIS PRIVACY POLICY, PLEASE CONTACT US AT PRIVACY@COCA-COLA.COM. We respect your privacy rights and will do our best to accommodate your requests.

Some of the Services have age restrictions which means that we may ask questions to verify your age before we allow you to use those Services.

In accordance with our Responsible Marketing Policy, Coca‑Cola does not direct marketing for our products to children under age 13. If you become aware that a child under age 13 or the age set under local law has provided us with personal information without parental consent or other than as allowed by applicable law, please contact our Privacy Office at privacy@coca-cola.com. Once we become aware, we will take steps to remove the child’s personal information as required by applicable law.

Coca‑Cola may transfer personal information across borders to any of the places where we and our suppliers and business partners operate. These other places may have data protection laws that are different from (and, in some cases, less protective) than the laws where you reside.

If your personal information is transferred across borders by us or on our behalf, we use appropriate safeguards to protect your personal information in accordance with this Privacy Policy and applicable law. These safeguards include agreeing to standard contractual clauses or model contracts for transfers of personal information among the Coca‑Cola affiliates and among our suppliers and partners. When in place, these contracts require our affiliates, suppliers and partners to protect personal information in accordance with applicable privacy laws.

Please also see our Data Privacy Framework Privacy Policy [LINK], which describes how Coca‑Cola handles personal data that Coca‑Cola receives in the U.S. from the EU, UK and Switzerland in reliance on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, as set forth by the U.S. Department of Commerce (collectively, the DPF Framework). If the terms in this Privacy Policy and the DPF Privacy Policy conflict, then the DPF Privacy Policy governs with respect to personal information that Coca‑Cola receives in the U.S. under the DPF Framework. To learn more about the Data Privacy Framework program and to view our certification, please visit https://www.dataprivacyframework.gov/.

To request information about our standard contractual clauses or other safeguards for cross-border personal information transfers, please contact privacy@coca-cola.com.

We may update this Privacy Policy from time to time in response to changing legal, technical or business developments. The most current version always is available through the Services.

When we update this Privacy Policy, we will post the updated version and change the Effective Date above. We also will take appropriate measures to inform you in advance of significant changes that we believe affect your privacy rights so that you have an opportunity to review the revised Privacy Policy before it is effective. If your consent is required by applicable privacy laws, we will obtain your consent to changes before the revised Privacy Policy applies to you. Please regularly check this Privacy Policy to ensure you are aware of the updated version.

Residents of African Countries

Residents of South Africa. Personal information that is collected from you is required for you to have access to the Services. Failure to provide this personal information may prevent you from accessing or using any or all of the Services. Under the Protection of Personal Information Act 4 of 2013 (POPIA), personal information of juristic persons also is protected; therefore, in the event that apps or website are accessed on behalf of a juristic person, personal information of such juristic person should be protected. Direct Marketing: All electronic direct marketing communication will be sent to you (until you opt out) when:

• you consent to receive direct marketing communication in accordance with POPIA; or

• we received your personal information in connection with the sale of any of our products or services to you so that we can communicate with you about our other products or services. You can choose to opt out of receiving these marketing communication at the time by using the “unsubscribe” link or contacting us at using the contact information below.

Your Rights: You have the right to make the following requests about your personal information:

• to ask whether Coca‑Cola holds personal information about you, free of charge

• to request a record or a description of your personal information that Coca‑Cola holds about you in accordance with the process set out in the PAIA Manual accessible at coca-cola.co.za.

• to request that Coca‑Cola update or correct inaccurate or incomplete personal information about you

• to request that Coca‑Cola stops using your personal information for any reason

• to object to the processing of your personal information

• to request that Coca‑Cola deletes your personal information

• to request that Coca‑Cola restrict how your personal information is used, shared and otherwise processed

• to request that Coca‑Cola transmit a copy of your personal information to you or to a third party selected by you.

We may (and in some cases are required to) verify your identity before we can act on your request to exercise your privacy rights. How to contact us to exercise your privacy rights: To exercise your privacy rights, please contact Coca‑Cola using one of these options:

• send us an email to the following address: CCSAINFO@COCA-COLA.COM

• call us on 0860112526

• write to the following postal address: Coca‑Cola Africa (Proprietary) Limited, Oxford and Glenhove, 116 Oxford Road, Houghton Estate, Johannesburg, 2198 for the attention of the Legal Team.

You have a right to lodge a complaint with the Information Regulator (South Africa) via email at POPIAComplaints@inforegulator.org.zaOther Processing Details: We also automatically collect the following information:

Behavioral Data: Information derived from the combination of the device ID and the system events that may be used to identify behavioral trends and patterns and send you marketing communications related to the events you have participated in, subject to direct marketing requirements in terms of POPIA such as obtaining your prior consent.

Participation Data: Personal information pertaining to a data subject’s participation in a promotional competition, prize, poll, instant win promotion, contest and other types of promotions (e.g. type of promotion, date and time of participation to the promotion, outcome of the participation to the promotion, information required for prize fulfillment).

Analytics information: We may collect analytics data, or use third-party analytics tools such as Google Analytics, to help us measure traffic and usage trends for the Services and to understand more about the demographics and behaviors of our users.

We also permit third-party online advertising networks, social media companies and other third-party services to collect information about the user’s use of the Services over time so that they may play or display ads on the Services used by the user and on other devices the user may use.

The Services may include social media features, such as the Meta like button, LinkedIn, Snapchat, Instagram, Twitter or other widgets. These social media companies may recognize the user and collect information about the user’s visit to the Services, and they may set a cookie or employ other tracking technologies. The user’s interactions with those features are governed by the privacy policies of those companies which we do not have control over. We display targeted advertising to the user through social media platforms, such as Meta, Twitter, Google+ and others with the user’s prior consent. Meta, Twitter, Google have interest-based advertising programs that allow us to direct advertisements to users who have shown interest in the Services while those users are on the social media platform, or to groups of other users who share similar traits, such as likely commercial interests and demographics. These advertisements are governed by the privacy policies of those social media companies that provide them.

For some of the Services, we use third-party tools to monitor user experience information. These tools automatically collect usage information, including mouse clicks and movements, page scrolling and any text keyed into website forms. The information collected does not include passwords, payment details, or other sensitive personal information. We use this information for site analytics, optimization and to improve website usability. We do not permit this information to be shared with or used by third parties for their own purposes.

Our online and email advertising-related vendors may use pixel tags, web beacons, clear GIFs or other similar technologies in connection with the Services to help manage our online and email advertising campaigns and strengthen the effectiveness of such campaigns. For example, if a vendor has placed a unique cookie on the user’s computer, the vendor may use pixel tags, web beacons, clear GIFs or other similar technologies to recognize the cookie during the user’s visit to the Services and to learn which of our online advertisements may have brought the user to the Services, and the vendor may provide us with such other information for our use. We may link such other information provided to us by our vendors to Personal information about the user that we have previously collected.

We may use third-party advertising companies to serve advertisements on the Services. These companies may use information (not including the user’s name, address, email address or telephone number) about a user’s visits to the Services to provide advertisements about goods and services of interest to the user.

We may link or combine the user’s activities and information collected from the user through the Services with information we collect automatically through tracking technologies. This allows us to provide the user with a personalized experience regardless of how the user interacts with us through the Services.

• Residents of Kenya

As provided to individuals in Kenya, the Services do not collect, store or read the location data through GPS, Wi-Fi or wireless network triangulation. An anonymized, randomly generated app ID is collected and used to detect user proximity to points of sales and send location-specific promotional messages and discounts offered in nearby locations.

Residents of Argentina

The Agency of Access to Public Information, in its role of Regulating Body of Law 25.326, is responsible for receiving complaints and reports from residents of Argentina who believe that their privacy rights were violated. The owner of the personal data has the right to exercise the right of access at intervals of not less than six months, unless a legitimate interest is demonstrated for this purpose in accordance with article 14, paragraph 3 of Law No. 25,326.

Interested parties may exercise their right of access, rectification or deletion by submitting a request to: Servicios y Productos para Bebidas Refrescantes SRL – Vedia 4090 – C.A.B.A. – Argentina- Attn: Responsable de Bases de Datos.

Natural persons must attach a copy of their National Identity Document and Legal Representatives must attach the documentation that proves the validity of the legal representation. Each request must explain the reason for the request. Coca‑Cola will respond to an access request within ten (10) calendar days and for requests for rectification, updating or deletion of personal data, Coca‑Cola will respond within five (5) business days.

Residents of Australia

While your personal information is generally stored on a central consumer database on servers located in Australia, Coca‑Cola also may store your personal information on our affiliates’ and suppliers’ systems in other countries, such as the United States of America, New Zealand, Singapore and others, as necessary from time to time.

We require third parties storing personal information to comply with Australian privacy laws and this Privacy Policy, and to only use your personal information for the purposes for which it has supplied.

If you wish to access or correct your personal information or have questions or concerns regarding this Privacy Policy or if you are concerned your privacy may have been breached, please contact us by any of the following means: Email: privacyofficerau@coca-cola.comPhone: Call our Consumer Information Centre on 1800 025 123 (within Australia)

Post: Attn: Privacy Officer Coca Cola South Pacific Pty Limited GPO Box 388 North Sydney, NSW 2059 Online: Use the “Contact Us” section at www.coca-cola.com/au and indicate that your query relates to “privacy”.

We will respond to you as soon as we are able and in any event within 30 days after receipt of your initial request. If Coca‑Cola has valid reasons not to honor your request relating to your personal information, we will provide you with a written explanation and the mechanisms you can follow if you wish to complain about the refusal.

The controller of your personal information is: Coca Cola South Pacific Pty Limited mail: privacyofficerau@coca-cola.comPhone: Call our Consumer Information Centre on 1800 025 123 (within Australia) Post: Attn: Privacy Officer Coca Cola South Pacific Pty Limited GPO Box 388 North Sydney, NSW 2059

The data protection regulator is: Office of the Australian Information Commissioner Post: GPO Box 5218 Sydney NSW 2001Address: 175 Pitt Street Sydney NSW 2000Tel: 1300 363 992Fax: 61 2 9284 9666Emai: foi@oaic.gov.auWebsite: https://www.oaic.gov.au/

Residents of Brazil

Your privacy rights under LGPD are described at https://privacidade.cocacola.com/br/#direitos. To exercise your privacy rights, please

• Complete the form at https://privacidade.cocacola.com.br/dsr/index.html

• Send an email to encarregado.lgpd@coca-cola.com

• By post to Praia de Botafogo, 374, Botafogo, Rio de Janeiro/RJ, ZIP Code: 22.250-907, attn: Flavio Mattos dos Santos

The controller of your personal information is Recofarma Indústria do Amazonas Ltda.

The data protection regulator is Autoridade Nacional de Proteção de Dados, https://www.gov.br/anpd/pt-br.

For its websites directed to residents of Brazil, Coca‑Cola has a cookie policy separate from this Privacy Policy. Please check the relevant Coca‑Cola website.

Residents of the United States (CA, CO, CT, UT, VA)

Residents of California. This California Privacy Notice (California Privacy Notice) applies to Coca‑Cola’s processing of personal information of residents of the U.S. State of California (California Consumers) as required by the California Consumer Privacy Act of 2018, as amended (CCPA).

If you are a California Consumer, this California Privacy Notice is designed to help you understand the categories of personal information that we collect about you, where we get that personal information, why we process it, who we share it with, and the rights you have to know and control your personal information. If this California Privacy Notice and any provision in the rest of our Privacy Policy conflict, then this California Privacy Notice controls for the processing of personal information of California Consumers. This California Privacy Notice does not apply to Coca‑Cola’s employees, contractors, contingent workers, or job applicants.

Notice at Collection

For CCPA purposes, Coca‑Cola generally acts as a “Business” with respect to your personal information. A Business is similar to a Data Controller, which means that Coca‑Cola determines how and why the personal information that Coca‑Cola collects from or about you is handled.

This Notice at Collection of personal information describes our personal information collection practices when we are acting as the Business, including a list of the categories of personal information we collect, the purposes for which we collect personal information and the sources from which we collect personal information.

Although we already explain what personal information we collect and why above in this Privacy Policy, the CCPA requires that we make certain disclosures using the categories of personal information used in the definition of personal information in the CCPA.

Category: Identifiers

Source: Directly from you

Purpose: Performing the Services of Advertising and Marketing

Third parties: Service providers, including marketing vendors, Affiliates and bottler partners, Other third parties

Category: Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))

Source: Directly from you

Purpose: Performing the Services of Advertising and Marketing

Third parties: Service providers, including marketing vendors, Affiliates and bottler partners, Other third parties

Category: Protected classification characteristics under California or federal law

Source: Directly from you

Purpose: Performing the Services of Advertising and Marketing

Third parties: Service providers, including marketing vendors, Affiliates and bottler partners, Other third parties

Category: Commercial information

Source: Directly from you

Purpose: Performing the Services

Third parties: Service providers, including marketing vendors, Affiliates and bottler partners, Other third parties

Category: Biometric information, which is information about your physiological, biological or behavioral characteristics

Source: Coca‑Cola does not collect this information as of the Effective Date

Purpose: Coca‑Cola does not collect this information as of the Effective Date

Third parties: Coca‑Cola does not collect this information as of the Effective Date

Category: Internet or other electronic network activity

Source: Directly from you, Automatically collected during use of the Services

Purpose: Performing the Services

Third parties: Service providers, including marketing vendors, Affiliates and bottler partners, Other third parties

Category: Geolocation data

Source: Directly from you, Automatically collected during use of the Services

Purpose: Performing the Services Third parties: Service providers, Other third parties

Category: Audio, electronic, visual, or similar information

Source: Directly from you

Purpose: Performing the Services Third parties: Service providers

Category: Professional or employment-related informationSource: Directly from you, From third parties

Purpose: Performing the Services, Advertising and Marketing

Third parties: Service providers, including marketing vendors, Affiliates and bottler partners

Category: Inferences drawn from other categories to create a profile about a California Consumer Source: Coca‑Cola

Purpose: Advertising and Marketing

Third parties: Service providers, including marketing vendors, Affiliates and bottler partners, Other third parties

When we collect precise geolocation information for purposes of performing a Service you have requested, we are deemed to be collecting data that is “sensitive” under California law. Our use of this data for performing a Service you have requested is consistent with the permitted business purposes in California Civil Code § 1798.100 et seq. and implementing regulations.

While we have disclosed personal information to third parties, we have no actual knowledge that we have sold or shared such information on anyone under 16 years old.

Your California Consumer Privacy Rights

CCPA offers California Consumers the following key privacy rights:

• Right to Access Information: You have the right to request access to personal information collected about you and information regarding the source of that information, the purposes for which we collect it and the third parties and service providers with whom we share it.

• Right to Request Deletion: You have the right to request that we delete certain personal information that we have collected from you.

• Right to Correct: You have the right to correct inaccurate personal information about you. Note that correction requests are subject to certain limitations, and we may choose to delete rather than correct your personal information in some circumstances.

• Right to Opt-Out of Sale of Personal Information to Third Parties: Our disclosure of your personal information to third party advertising and analytics providers may constitute a sale under certain state laws and, in California, may also constitute “sharing” (which is a term used to address the sharing of information for advertising purposes). To the extent that our use constitutes a sale or sharing of your personal information, you have the right to opt-out by (a) enabling an opt-out preference signal or Global Privacy Control on your browser which is recognized by our U.S.-facing websites, (b) opting-out of cookies in our U.S.-facing websites’ cookie preference center, or (c) submitting an opt-out request at Privacy Web Form (onetrust.com).

• Right Against Discrimination: We will not discriminate against you for exercising your rights under the CCPA. We will not deny you goods or services for exercising your rights; charge you a different price or rates for goods or services, including through granting discounts or other benefits, or imposing penalties, because you exercised your rights; provide you a different level or quality of goods or services because you exercised your rights; or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services as a result of exercising your rights.

To submit a request to exercise your California privacy rights, please:

• click https://www.coca-cola.com/us/en/about-us/contact-us

• call toll-free to 1-800-438-2653

• email us at: https://us.coca-cola.com/support/contact-us/

To submit your request, please be prepared with your name, email address and place of residence. You may authorize another person (your agent) to submit a request on your behalf. We aim to complete requests as soon as reasonably practicable and consistent with any applicable laws. Please note that it may take additional time to verify and fulfill agent-submitted requests. If you have an account with us, you may also make certain changes directly through your account profile page. Please note that changes you make on your account profile page through the Services may not always be reflected on parts of the Services operated by us

.Please note:

• We may (and in some cases are required to) verify your identity before we can act on your request to exercise your California privacy rights. After we receive and process your request, we will contact you using the email address provided in your request with instructions on how to verify your identify, after which we will check our records for matching information.

• We may not honor part or all your request – for example, certain information we collect may be exempt from this California Privacy Notice, such as public information made available by a government entity or information covered by a different privacy law. In these situations, we will explain why we do not honor your request when we respond to you.

Notice of Financial Incentive

We may offer discounts or other benefits to consumers enrolled in certain rewards or promotional programs, including but not limited to:

(1) Consumers can opt-in to email promotions from CocaCola by submitting their email address through the Site. Additional terms and conditions are posted there. (2) Consumers can snap and upload sip & scan codes to access rewards, sweepstakes and other experiences. Consumers who are logged into their Coke.com account while participating in sip & scan may save and redeem such rewards. Additional information is available at https://www.coca-cola.com/us/en/sip-and-scan-faq/. (3) Consumers can create a CocaCola account and receive 15% off their first order at the CocaCola store. (4) Consumers can register for an account and get free or discounted products. (5) Consumers can participate in Coca‑Cola’s social promotions, contests or sweepstakes for a chance to receive the benefits described in each such promotion.Coca‑Cola does not generally assign monetary or other value to consumers’ personal information and our promotions activity changes continually. To the extent California law requires that a value be assigned to such programs, or the price or service differences they involve, Coca‑Cola values the personal information collected and used under each program as being equal to the value of the discounts or other financial incentives provided in each such program, based upon a practical and good-faith effort to assess on an aggregate basis for all collected information:

(1) the type of personal information collected in each program (e.g., email address), (2) the use of such information by CocaCola in connection with its marketing activities, (3) the range of discounts provided (which can depend on each consumer’s purchases under such offers), (4) the number of individuals enrolled in respective programs, and (5) the products for which the benefits (such as price difference) can apply. These values can change over time. Note that this description is without waiver of any proprietary or business confidential information, including trade secrets, and it does not constitute any representation with regard to generally accepted accounting principles or financial accounting standards.A different California law permits California residents to request a notice disclosing the categories of Personal Information about you that we have shared with third parties for their direct marketing purposes during the preceding calendar year. At this time, Coca‑Cola does not share Personal Information with third parties for their direct marketing purposes.Residents of Colorado, Connecticut, Utah, and Virginia. Privacy laws in these states give consumers certain rights with respect to their personal data. Coca‑Cola will honor these rights for any U.S. resident. They include:

• Right to Access Information: You have the right to access and obtain a copy of your personal data.

• Right to Request Deletion: You have the right to request that we delete personal data provided by or obtained about you.

• Right to Correct: You have the right to correct inaccuracies in your personal data.

• Right to Opt-Out: Our disclosure of your personal information to third party advertising and analytics providers may constitute a sale under certain state laws. In addition, we use cookies to serve targeted ads. You have the right to opt-out of these activities by (a) enabling an opt-out preference signal or Global Privacy Control on your browser which is recognized by our U.S.-facing websites, (b) opting-out of cookies in our U.S.-facing websites’ cookie preference center, or (c) submitting an opt-out request at https://privacyportal.onetrust.com.

In addition, residents of Colorado, Connecticut and Virginia can appeal a decision with regard to their consumer privacy requests by contacting us by email at https://www.coca-cola.com/us/en/about-us/contact-us.

Residents of Canada

Coca‑Cola collects, uses, and discloses Personal Information for the purposes identified in our Privacy Policy and for any additional purposes, as permitted by law, with notice to you and your express or implied consent.

You have certain rights in respect of your information. To access or correct your Personal Information, please complete the form at the following link. Please note we may verify your identity before we can act on your request.

For residents of Quebec: The person in charge of the protection of personal information about individuals residing in Quebec is Larissa Barbara Lourenco, who can be contacted by email at privacy@coca-cola.com.

Residents of Chile

As required by Chilean data protection law, consent will be collected for every activity performed by Coca‑Cola related to individuals protected by Chilean data protection law.

Chilean data protection law offers the following privacy rights:

• To request information on the processing of personal data

• To request rectification of incorrect or incomplete personal data

• To request deletion of personal data if they are stored without a legal basis or if they are out of date

• To request the deletion or blocking of personal data, as applicable, if the personal data were provided voluntarily or if they are used for commercial communications and the individual no longer wishes to be included in the relevant register, either permanently or temporarily

• To oppose the use of personal data for advertising, market research or opinion polling purposes

• To revoke consent to the processing of personal data at any time with effect for the future. Note, however, that revoking consent may means that further use of some or all of the Services may not be possible.

The controller of your personal information is Recofarma Indústria do Amazonas Ltda.

Residents of China Mainland

Please see our separate privacy policy available at https://cokeurl.com/cgs82t

For Residents of EEA, Switzerland and UK

Data Controller

The data controller (i.e., the Coca‑Cola entity that determines the purpose and means of processing your personal information) for the personal information collected in connection with use of the Services in the European Economic Area, Switzerland and United Kingdom is NV Coca‑Cola Services SA, a company with registered office at Chaussée de Mons 1424, 1070 Brussels.

Processing

Coca‑Cola’s processing of your personal information is described above in this Privacy Policy, including:

• Personal information collected and why is is collected (Section 2)

• How Coca‑Cola uses your personal information (Section 4) and shares your personal information (Section 6)

• How long Coca‑Cola retains your personal information (Section 8)

Legal Bases for Coca‑Cola’s Processing

The legal bases for Coca‑Cola’s processing of your personal information depend on the context in which the personal information is collected and processed. Generally, we only collect personal information when (i) Coca‑Cola needs the personal information to perform a contract with you (such as our terms of use), in which case we will advise you whether providing your personal information is mandatory and the possible consequences if you do not provide your personal information;

(ii) when we have consent to do so (which consent you can withdraw at any time using the contact information below); or

(iii) when the processing is in our legitimate business interests and not overridden by the privacy or other fundamental rights and freedoms of users (such as when we process personal information to prevent fraudulent use of the Services).

if we collect and use personal information in reliance on our legitimate interests (or those of any third party), this interest is to provide the Services and communicate with you about the Services and for responding to queries, improving the Services, advising users about new features or maintenance or undertaking marketing activities and similar commercial interests to make the Services available for you. We may have other legitimate interests and if appropriate we will make clear our legitimate interests at the relevant time.

In some cases, we also may have a legal obligation to collect personal information from users. If we ask you to provide personal information to comply with a legal requirement, we will make this clear at the relevant time and advise you whether providing your personal information is mandatory and the possible consequences if you do not provide your personal information.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us at privacy@coca-cola.com.Cookie Policy

In the EEA, Switzerland and UK, Coca‑Cola has a cookie policy separate from this Privacy Policy. Please check the Coca‑Cola website that you use for more information.

Data Subjects Rights

To the extent provided under the GDPR, you have the following rights with respect to personal information concerning you:

• Right of access your personal information

• Right to rectification (i.e., correction, update)

• Right to erasure

• Right to restrict processing

• Right to data portability (i.e., receive an electronic copy of your personal information for purposes of transmitting it to another organization)

• Right to withdraw consent at any time

If you would like to access, correct, update, suppress, restrict, object to or delete personal information that you have previously provided to Coca‑Cola as or if you would like to receive an electronic copy of your personal information for purposes of transmitting it to another company (where this right to portability is provided to you by law), please submit your request to us as follows:

• Use the contact form, when available in the Services, or at https://www.coca-cola.co.uk/our-business/contact

• Complete the form available here: https://privacyportal.onetrust.com/webform/e3ab7adf-beb9-4769-844e-c1ec4e6d17bb/56b56bed-bb0c-4842-9e7f-5c58a7e9a4b3

• By post at this address: Consumer Interaction Centre, PO Box 73229, London E14 1RP

• Our EU Data Protection Officer is available at dpo-europe@coca-cola.com.

In your request, please make clear what personal information you would like to have changed, whether you would like to have your personal information suppressed from our database or other limitations you would like to put on our use of your personal information. For your protection, we verify your identity and geographic residency before fulfilling your request. We will comply with your request as soon as reasonably practicable and within the time periods required by applicable law.

Please note that we often need to retain certain personal information for recordkeeping purposes and/or to complete any transaction that you began prior to submitting your request (e.g., when you make a purchase or enter a promotion, you may not be able to change or delete the personal information provided until after the completion of the purchase or promotion). We also may not delete certain personal information for legal reasons.

How to Contact Data Protection Authorities

EU Data Protection Authorities

You have a right to lodge a complaint about how we process your personal information with the appropriate EU data protection authority.

Please click here for more information. Switzerland’s Data Protection RegulatorOffice of the Federal Data Protection and Information Commissioner (FDPIC)

Feldeggweg 1CH - 3003 BerneTel: 41 (0)58 462 43 95 (mon.-fri., 10-12 am)Telefax: 41 (0)58 465 99 96https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact/address.html

United Kingdom’s Data Protection RegulatorInformation Commissioner's Office (ICO)Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AFTelephone: 0303 123 1113Fax: 01625 524510

https://ico.org.uk/global/contact-us/

Residents of India

The applicable law governing privacy policy is IT Act, 2000 and Reasonable security practices and procedures and sensitive personal data or information Rules, 2011, and in supersession of the Information Technology (Intermediaries Guidelines) Rules, 2011, issued under the IT Act, 2000.

Email Address of the Grievance Officer appointed by Coca Cola India Private Limited (CCIPL): grievanceofficerprivacyindia@coca-cola.com

Registered office of CCIPL: Plot No. 1109-1110, Village Pirangut, Taluka Mulshi, Distt. Pune

Corporate Office of CCIPL: 1601-1701, One Horizon Center, DLF Golf Course Road, Phase V, Sector 43, Gurgaon, Haryana

Residents of Japan

Please see our separate privacy policy available at https://cokeurl.com/rb7p5c

Residents of Mexico

Coca‑Cola’s Mexico Privacy Notice applies to the processing of personal information of residents of Mexico as required by the Mexican law, LEY FEDERAL DE PROTECCIÓN DE DATOS PERSONALES EN POSESIÓN DE LOS PARTICULARES.

Please see our separate privacy policy available at https://cokeurl.com/4utd7g

The controller of your personal information is: Servicios Integrados de Administración y Alta Gerencia, S. de R.L de C.V., The Coca‑Cola Export Corporation, Sucursal En México, Rubén Darío 115, Col. Bosque de Chapultepec, CP 11580, CDMX. Tel:+5255.5262.200

The data protection regulator is Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales.

If you about Coca‑Cola’s Mexico Privacy Notice, please contact us by email at: avisodeprivacidad@coca-cola.com.mx.

Residents of Philippines

Coca‑Cola does not collect full date of birth from consumers in the Philippines. Coca‑Cola will obtain parental consent when Coca‑Cola is knowingly processing personal information of consumers under age 18.

The controller of your personal information is Coca‑Cola Far East Ltd. (Philippines Regional Operating Headquarters) and The Coca‑Cola Export Corporation (Philippines Branch).

Residents of South Korea

Please see our separate privacy policy available at https://cokeurl.com/eljncr

Residents of Thailand

The Thailand Personal Data Protection Act of 2019 applies to the processing of personal information of residents of Thailand. The controller of your personal information is Coca‑Cola (Thailand) Ltd. Please contact privacythailand@coca-cola.com with questions.

Following is a summary of your data protections rights:

Your right of access to personal information

You have the right to obtain confirmation as to whether we process personal information about you, receive a copy of your personal information held by us as a controller and obtain certain other information about how and why we process your personal information.

Your right to rectification/amendment of personal information

You have the right to request your personal information to be amended or rectified where it is inaccurate (for example, if you change your name or address) and to have incomplete personal information completed. When practically possible, once we are informed that any personal information processed by us is no longer accurate, we will make updates as appropriate based on your updated information.

Your right to erasure/right to be forgotten

You have the right to obtain deletion of your personal information in the following cases:

• The personal information is no longer necessary in relation to the purposes for which it was collected and processed.

• Our legal grounds for processing is consent, you withdraw consent, and we have no other lawful basis for the processing.

• Our legal grounds for processing is that the processing is necessary for legitimate interests pursued by us or a third party, you object to our processing, and we do not have overriding legitimate grounds.

• You object to our processing for direct marketing purposes.

• Your personal information has been unlawfully processed.

• Your personal information must be erased to comply with a legal obligation to which we are subject.

Your right to restrict processing You have the right to restrict our processing of your personal information in the following cases:

• You contest the accuracy of the personal information we process about you. We must restrict processing the contested information until we can verify the accuracy of your personal information.

• The personal information shall be erased or destroyed, but you request the restriction of the use of that personal information instead.

• It is no longer necessary to retain the personal information for the purposes of the collection, but you request us to retain that personal information for the purposes of the establishment, compliance, or exercise of legal claims, or the defense of legal claims.

• The personal information is pending verification of legitimate grounds to process it, of its necessity for legal claims (establishment, compliance, exercise or defense), or of its necessity for us to perform a task in public interest.

Your right to object to processing

You have the right to object to our processing of your personal information in the following cases:

• the personal information was collected for the necessity of:

• the performance of a task carried out in the public interest by us, or the exercising of official authority vested in us, and legitimate interests of Coca‑Cola

• the collection, use, or disclosure of such personal information is for the purpose of direct marketing;

• the collection, use, or disclosure of the personal information for the purpose of scientific, historical or statistic research

Note: We reserve the right to refuse your request if we can prove that (i) there is compelling legitimate grounds for processing this personal information, or it is necessary for the establishment, compliance, exercise or defense of legal claims or (ii) the processing of your personal information for the purpose of scientific, historical or statistic research is necessary to performance of a task carried out for reasons of public interest. Your right to information portability

You have a right to receive your personal information you provided us and have the right to send the information to another organization (or ask us to do so if technically feasible) where:

• our lawful basis for processing the personal information is consent or necessity for the performance of our contract with you and

• the processing is carried out by automated means.

Your right to withdraw consent

Where we process personal information based on consent, individuals have a right to withdraw consent at any time. We do not generally process personal information based on consent (as we can usually rely on another legal basis).

The data protection regulator is:

Thailand Personal Data Protection Commission

Ministry of Digital Economy and Society

Address: No. 120, Moo 3, The Government Complex, Tower B, Changwattana Road, Lak Si, Bangkok, Thailand, Bangkok

Tel: 662-142-1033, 662-141-6993

Email: pdpc@mdes.go.th

Website: https://www.mdes.go.th/mission/82

Residents of Turkey

Coca‑Cola provides you with the option to review, correct, update, or modify personal information you have previously provided. To exercise these rights, please:

• Send an email to cocacoladanismamerkezi@eur.ko.com

• Call our toll-free number: 0 800 261 1920

In your request, please make clear what personal information you would like to have changed, whether you would like to have your personal information suppressed from our database or other limitations you would like to put on our use of your personal information. For your protection, we may need to verify your identity and geographic residency before fulfilling your request. We will comply with your request as soon as reasonably practicable and within the time periods required by applicable law.

* * * * *

Following is additional information about the Coca‑Cola entity that acts as controller of your personal information, depending on your place of habitual residence:

Bangladesh

Coca‑Cola Bangladesh Beverages Limited
Crystal Palace (11th Floor), Rd 140, Dhaka 1212, Bangladesh

Kingdom of Bhutan

TASHI BEVERAGES LIMITED
POST BOX # 267, PASAKHA BHUTAN.
00975-77190300 (O)

Chile

Coca‑Cola de Chile S.A
Avenida Presidente
Kennedy 5757 Piso 12
Las Condes, Santiago

Colombia

Coca‑Cola Bebidas de Colombia, S.A.
AK45 #103-60. Piso 8.
Bogotá, Colombia.
Tel. 638-6600Data Protection Regulator:
Superintendencia de Industria y Comercio (SIC)
https://www.sic.gov.co
Carrera 13 No. 27 - 00, Pisos 1 y 3
Línea Gratuita Nacional: 01 8000 910165
contactenos@sic.gov.co

Costa Rica

Coca‑Cola Industrias SRL
Plaza Tempo, Oficinas Corporativas, Escazú, Sab José, Costa Rica

Data Protection Regulator:
Agencia de Protección de Datos de los Habitantes (PRODHAB).
prodhab.go.cr.
San Pedro de Montes de Oca, Alameda, Avenida 7 y calle 49, edificio Da Vinci.
Sistema Costarricense de Información Jurídica (pgrweb.go.cr)

Dominican Republic

Distrito La Hispaniola Compañía De Servicios, S.R.L.,
Avenida Winston Churchill, Torre Acrópolis, Piso 12, Ensanche Piantini
Attn: Santiago Carrasco

Ecuador

Coca‑Cola de Ecuador. S.A.
Republica de El Salvador N36.230 y Naciones Unidas. Edificio Citibank Piso 1.
Quito, Ecuador
Tel: 593 2 382 622Attn: Mariana Rosalba

Indonesia

PT Coca‑Cola Indonesia
South Quarter Tower B, Penthouse Floor, Jl. R. A. Kartini Kav. 8, Cilandak Barat, Jakarta Selatan

Republic of Maldives

Male Aerated Water Company
5GH7+CG8, Boduthakurufaanu Magu, Malé, Maldives

Nepal

Bottlers Nepal Limited and Bottlers Nepal

Bottlers Nepal Limited,
Balaju Industrial District, Balaju,
Kathmandu, Nepal, P.O. Box: 2253
+977-01-4352986, +977-01-4352988

Bottlers Nepal (Terai) Limited,
Gondrang, Bharatpur-9, Chitwan,
Nepal, P.O. Box: 20
+977-056420216

Perú

Coca‑Cola Servicios de Perú, S.A.
República de Panamá 4050. Surquillo. Lima, Perú.
Tel. (511) 411-4200Attn: Maria Sol Jares

Data Protection Regulator:
Autoridad Nacional de Protección de Datos Personales
https://www.gob.pe/anpd
Scipión Llona 350 Miraflores - Lima - Perú
protegetusdatos@minjus.gob.pe

Philippines

Coca‑Cola Far East Ltd. (Philippines Regional Operating Headquarters)
24th Floor, Six/NEO Bldg., 5th Ave cor. 26th Street, Bonifacio Global City, Taguig

The Coca‑Cola Export Corporation (Philippines Branch)
24th Floor Net Lima
Building 5th Avenue corner 26th Street Bonifacio Global City Taguig,
Manila, 1634 Philippines

Sri Lanka

Coca‑Cola Beverages Sri Lanka Limited
B214, Biyagama Road, Colombo, Sri Lanka

Ukraine

Coca‑Cola Ukraine Limited LLC
139 Velyka Vasylkivska Street, 13 floor
Velyka Vasylkivska Kyiv, 03150
Ukraine

Vietnam

Coca‑Cola Southeast Asia, Inc.
235 Dong Khoi Street, District 1, Ho Chi Minh City

THE EU-US DATA PRIVACY FRAMEWORK POLICY

The Coca‑Cola Company (“Coca‑Cola” or “we”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

Coca‑Cola has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the Processing of Personal Information received from the European Union (EU) in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Coca‑Cola has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) about the Processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework program and to view our certification, please visit https://www.dataprivacyframework.gov.

(Note: the Swiss-U.S. DPF is awaiting finalization as of the date of this DPF Policy. Please visit here for more information.)

Definitions

WHEN THIS DPF POLICY APPLIES

This DPF Policy applies to Personal Information transferred from member countries of the European Economic Area (EEA, which is the member states of the EU plus Iceland, Liechtenstein and Norway), the United Kingdom (UK), and Switzerland to Coca‑Cola in the U.S. in reliance on the EU-U.S. DPF, UK Extension to the EU-U.S. DPF or the Swiss-U.S. DPF. Personal Information that Coca‑Cola Processes in compliance with the DPF Program is covered by Coca‑Cola’s other privacy-related requirements and policies (collectively, the Coca‑Cola Privacy Policies), such as:

• Personal Information Processed about users of Coca‑Cola’s websites, mobile applications, widgets and other online and offline services (together, the Services) is subject to the Coca‑Cola Privacy Policy (available at https://www.coca-cola.com/gb/en/legal/privacy-policy for the UK, and, for the EEA and Switzerland, by selecting the relevant country here or, for some Services, the privacy policy, notice or statement linked or posted in those Services.

• Personal Information regarding external job applicants is described in The Coca‑Cola Applicant Privacy Notice applies to Personal Information collected from or about applicants.

• Personal Information regarding Coca‑Cola’s current or past employees, interns, contractors and contingent workers is subject to Coca‑Cola’s Employee Privacy Notices and to Coca‑Cola’s DPF Policy for HR Data, which are available on KO Connect (Coca‑Cola’s intranet).

This DPF Policy does not apply to Personal Information transferred under Standard Contractual Clauses or any approved derogation from the EU General Data Protection Regulation, the UK General Data Protection Regulation or the Swiss Federal Data Protection Act. While the DPF Program is an authorized international transfer mechanism to enable Coca‑Cola to receive Data Subjects’ Personal Information in the U.S., Coca‑Cola’s obligations and Data Subject rights under the DPF Program are separate from those under EU General Data Protection Regulation, the UK General Data Protection Regulation and the Swiss Federal Data Protection Act.

COCA-COLA’S COMMITMENT TO THE DPF PRINCIPLES

Coca‑Cola commits to applying the DPF Principles to all Personal Information that Coca‑Cola in the U.S. receives from the EEA, UK and Switzerland in reliance on the DPF Program. Coca‑Cola’s adherence to this DPF Policy may be limited to the extent required to meet Coca‑Cola’s legal, regulatory, governmental or national security obligations.

The DPF Principles

The DPF Principles are: 1. Notice; 2. Choice; 3. Accountability for Onward Transfer; 4. Security; 5. Data Integrity and Purpose Limitation; 6. Access; and 7. Recourse, Enforcement and Liability.

1. Notice Principle

Coca‑Cola provides notice to Data Subjects about its Processing Practices for Personal Information received by Coca‑Cola in the U.S. from the EEA, UK and Switzerland in reliance on the DPF Program through the Coca‑Cola Privacy Policies and this DPF Policy, including:

• the types of Personal Information it collects about them

• the purposes for which it Processes the Personal Information (see also 5. below)

• the types of Agents and other third parties to which Coca‑Cola discloses Personal Information and the purposes for doing so (see also 3. below)

• the rights of Data Subjects to access their Personal Information (see 6 below)

• the choices that Coca‑Cola offers Data Subjects for limiting use and disclosure of their Personal Information (see also 2. below)

• how Coca‑Cola’s obligations under the DPF Program are enforced, including Coca‑Cola’s designated independent dispute resolution mechanism to address complaints and provide appropriate recourse free of charge, the possibility, under certain conditions, to invoke binding arbitration (see also 7. below)

• Coca‑Cola’s liability in cases of onward transfers to third parties (see also 3. below)

• how Data Subjects can contact Coca‑Cola with questions or complaints.

Coca‑Cola is not required to apply the Notice Principle or the Choice or Accountability for Onward Transfer Principles (see 2. and 3. below) to public record information (i.e., records kept by government agencies or entities at any level that are open to consultation by the public in general) or information that is already publicly available to the public at large as long as this information is not combined with non-public record information and, for public record information, any conditions for consultation established by the relevant jurisdiction are respected.

2. Choice Principle

Coca‑Cola provides Data Subjects with choices about their Personal Information before Coca‑Cola uses Personal Information covered by this DPF Policy for a new purpose that is materially different from the purpose for which the Personal Information was originally collected or subsequently authorized or before disclosure to a non-Agent third party that was not already authorized. Coca‑Cola will obtain affirmative consent (i.e., opt-in) from Data Subjects before Sensitive Personal Information is disclosed to a third party.Coca‑Cola will obtain the Data Subject’s affirmative express consent (i.e., opt in) before Sensitive Personal Information covered by this DPF Policy is (i) disclosed to a third party or (ii) used for a new purpose that is different from that for which the Personal Information was originally collected or subsequently authorized by the Data Subject. (subject to some limitations set forth here.) Under the DPF Principles, Coca‑Cola is not required to provide choice when disclosure is made to a third party that is acting as an Agent if Coca‑Cola enters into a written contract with the Agent (see 3. below).To opt out of these uses or disclosures of Personal Information or Sensitive Personal Information, please contact Coca‑Cola as follows:

• Send an email to privacy@coca-cola.com

• Complete the form available here

• Send mail to Consumer Interaction Centre, PO Box 73229, London E14 1RP

Coca‑Cola may engage with a Data Subject to request sufficient information to allow Coca‑Cola to confirm the identity of the Data Subject making an opt-out request. Coca‑Cola may use information for certain direct marketing purposes when it is impracticable for Coca‑Cola to provide a Data Subject with an opportunity to opt out before using the Personal Information but only when Coca‑Cola promptly offers the Data Subject the opportunity at the same time (and upon request at any time) to decline (at no cost) to receive any further direct marketing communications and Coca‑Cola complies with the individual’s wishes.

3. Accountability for Onward Transfer Principle

Coca‑Cola offers Data Subjects the opportunity to choose (i.e., opt out) whether their Personal Information is (i) disclosed to a third party or (ii) used for a purpose that is materially different from the purpose(s) for which the Persona Information was originally collected or subsequently authorized.

Transfers to Controllers:

Coca‑Cola will transfer Personal Information covered by this DPF Policy to a third party acting as a Controller consistent with the relevant Coca‑Cola Privacy Policies provided to each affected Data Subject and the Data Subject’s consent given to Coca‑Cola. Coca‑Cola also will make these transfers only if the Controller has agreed in a written contract that it will (i) Process the Personal Information for limited and specified purposes consistent with the consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and (iii) cease Processing of the Personal Information or take other reasonable and appropriate steps to remediate the Processing if it makes such a determination. Coca‑Cola will take reasonable and appropriate steps to prevent, stop or remediate the Processing if Coca‑Cola becomes aware that a Controller is Processing Personal Information covered by this DPF Policy contrary to the DPF Principles.

Transfers to Agents:

Coca‑Cola will transfer to each Agent only the Personal Information needed for the Agent to provide the services or products as Coca‑Cola has instructed. Coca‑Cola will require that each Agent:

• Process the Personal Information only for limited and specified purposes as instructed by Coca‑Cola;

• Provide at least the same level of privacy protection as is required by the DPF Principles;

• Take reasonable and appropriate steps to ensure that the Agent effectively Processes the Personal Information transferred in a manner compliant with Coca‑Cola’s obligations under the DPF Principles; and

• Notify Coca‑Cola if the Agent determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles.

Upon receiving notification from an Agent that the Agent can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, Coca‑Cola will take reasonable and appropriate steps to stop and remediate the unauthorized Processing. Coca‑Cola also provides summaries of the relevant privacy provisions of its contracts with Agents to the Department of Commerce upon request.

In certain situations, we may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Coca‑Cola remains liable under the DPF Principles if an Agent Processes Personal Information covered by this DPF Policy in a manner inconsistent with the DPF Principles unless Coca‑Cola proves that Coca‑Cola is not responsible for the event giving rise to the damages.

4. Security Principle

Coca‑Cola takes reasonable and appropriate measures to protect Personal Information covered by this DPF Policy from loss, misuse and unauthorized access, disclosure, alteration, and destruction, considering the risks involved in the Processing and the nature of the Personal Information.

5. Data Integrity and Purpose Limitation Principle

Coca‑Cola limits its collection of Personal Information to information that is relevant for the purposes of Processing. Coca‑Cola does not Process Personal Information in a way that is incompatible with the purposes for which it was collected or subsequently authorized by the Data Subject.

Coca‑Cola takes reasonable steps to ensure that such Personal Information is reliable for its intended use, accurate, complete, and current. Coca‑Cola takes reasonable and appropriate measures to comply with the requirement under the DPF Program to retain Personal Information in identifiable form only for as long as it serves a purpose of Processing. Specifically, Coca‑Cola will retain Personal Information in accordance with Coca‑Cola’s legitimate business purposes and legal obligations, unless a longer retention period is required or permitted by law.

Coca‑Cola will adhere to the DPF Principles for as long as it retains Personal Information covered by this DPF Policy.

6. Access Principle

Data Subjects whose Personal Information is covered by this DPF Policy have the right (i) to obtain from Coca‑Cola confirmation of whether or not Coca‑Cola is Processing Personal Information relating to them and to access that Personal Information and (ii) to correct, amend, or delete their Personal Information if it is inaccurate or if Coca‑Cola Processes it in violation of the DPF Principles - except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, when the rights of persons other than the Data Subject would be violated or disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security, defense or public security. Coca‑Cola will make good-faith, reasonable and practical efforts to comply with requests, so long as our doing so would be consistent with applicable law, Coca‑Cola’s contractual requirements, and/or the laws applicable to Coca‑Cola.

Coca‑Cola may engage with a Data Subject to request sufficient information to allow Coca‑Cola to confirm the Data Subject’s identity or if an access request is vague or broad in scope or to better understand the motivation for the request and to locate responsive information. Coca‑Cola also may inquire about how the Data Subject interacted with Coca‑Cola or about the nature of the Personal Information or its use that is the subject of the request. Coca‑Cola may deny or limit access to the extent that granting full access would reveal Coca‑Cola’s own confidential commercial information, such as the confidential commercial information of another that is subject to a contractual obligation of confidentiality. Coca‑Cola may set reasonable limits on the number of times within a given period that access requests from a particular Data Subject will be met.

To make a data access request, Data Subjects may contact Coca‑Cola by:

• Sending an email to privacy@coca-cola.com

• Completing the form available here

• Sending mail to Consumer Interaction Centre, PO Box 73229, London E14 1RP

Coca‑Cola will respond to access requests within a reasonable time period.7. Recourse, Enforcement, and Liability

The Federal Trade Commission (FTC) has jurisdiction over Coca‑Cola’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Coca‑Cola commits to resolve complaints about our collection or use of Personal Information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

EU, UK and Swiss individuals with inquiries or complaints should first contact Coca‑Cola by email to privacy@coca-cola.com or Coca‑Cola’s EU Data Protection Officer is available at dpo-europe@coca-cola.com.

Coca‑Cola has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. The service of BBB NATIONAL PROGRAMS is provided free or charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms. * * * * *Coca‑Cola agrees to periodically review and verify its compliance with the DPF Principles and to remedy any issues arising out of Coca‑Cola’s failure to comply with the DPF Principles. Coca‑Cola acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of DPF participants.

All Coca‑Cola personnel who have access in the U.S. to Personal Information covered by this DPF Policy are responsible for ensuring that Personal Information Processing complies with this DPF Policy. Coca‑Cola personnel also are responsible for ensuring that Agents or other unaffiliated third parties that Process Personal Information subject to this DPF Policy comply with this DPF Policy and Process Personal Information in accordance with the DPF Principles, including contracts required by the DPF Program.

CHANGES TO THIS DATA PRIVACY FRAMEWORK POLICY

This DPF Policy may be amended from time to time consistent with the requirements of the DPF. When we make changes to this DPF Policy, we will revise the “Last Updated” date at the beginning of this DPF Policy. We also will take appropriate measures to inform you in advance of changes we feel are significant so that you have an opportunity to review the revised DPF Policy before it is effective. If your consent is required by the DPF Principles, we will obtain your consent. We encourage you to regularly check this DPF Policy to ensure you are aware of the updated version.

QUESTIONS?

Coca‑Cola is committed to protecting the privacy of your Personal Information.

If you have any questions or comments about this DPF Policy, please contact privacy@coca-cola.com.