What type of personal information do we collect about you?

We collect personal information that you voluntarily provide when registering at Portal Connect.

The subject-matter of the processing is limited to Personal Data within the scope of the European General Data Protection Regulation ("GDPR"). The nature and purpose of the processing shall be to provide the services pursuant to the Agreement defined in next article, and the duration of the processing shall be for the term of the Agreement. The types of Personal Data processed include those expressly identified in Article 4 (1) of the GDPR, as well as other Personal Data submitted by Suscriber to the SIL portal. Categories of data subjects are Subscriber's representatives and end users, such as employees, contractors, suppliers, and collaborators.

If you do not want this information to be collected or used by us, you can simple "opt out". In this case, we will not be able to provide you with access to the Portal. In addition opting out may prevent your participation in activities for which personal information is needed, such as the subscription to our newsletter.

How do we use the data we collect?

When SIL has to process data, it does so for specified, explicit and legitimate purposes.

We will always explain the extent of our use of your information at the time you are asked to provide it.

In relation to Portal Connect processing is necessary for the performance of a contract to which a SIL partner is party, among other, a distribution agreement, license agreement, co/packing agreement etc. (the "Agreement") Therefore we need to process your personal data in order to manage the product orders placed through the Portal Connect.

For each processing, SIL agrees to collect and process only data that are strictly necessary for attaining the objective pursued. As a consequence, data use is legitimate and proportionate

We do not rent, share, sell or trade partner e-mail addresses, mailing addresses and telephone numbers.

Is Data access regulated?

SIL applies a strict clearance policy. The personal data it processes are transferred only to authorized persons within SIL organization.

SIL will ensure that its personnel engaged in the processing of Personal Data (i) will process Personal Data only on instruction from Portal Subscriber, unless required to do so by EU, Member Sate, or other applicable law and (ii) have committed to maintain the confidentiality of any Personal Data even after their engagement ends.

SIL has also contracted with third party service providers to manage our database and provide technical and any other support for the application. Your personal data may be disclosed and transferred to such third party service provider. All third party service providers involved in the management of SIL business have been engaged under a binding confidentiality agreement with SIL, whereby said third party may act only upon the instruction of SIL and have a limited access to SIL database for the purposes of providing technical support.

How we store and protect Personal Information-Data security

We will retain your personal data no longer than is necessary for the relevant purposes of the Agreement for which they are processed and in accordance with the applicable legislation.

On expiration or termination of the Agreement, SIL shall delete or return Personal Data, unless EU, Member State, or other applicable law require storage of the Personal Data.

SIL takes the security of personal data very seriously. It has implemented technical and organizational measures appropriate to the degree of sensitivity of the personal data, to ensure the integrity and confidentiality of the data and protect them against malicious intrusion, loss, alteration or disclosure to unauthorized third parties.

When it works with providers, SIL transfers personal data only after requiring the compliance with those security principles.

SIL conducts regular audits to verify that data security rules are applied properly.

How to access, update, correct or delete your personal Information

SIL has implemented the necessary measures to be able to respond to the requests for access, rectification, erasure, objection and data portability that may be made by you throughout the processing lifecycle in Portal Connect, and this within the time periods specified by law.

SIL is available for any question related to this personal data protection policy at SIL.Legal@suntory.com

To protect your privacy and security, we will take reasonable steps to verify your identity before granting access or making corrections

Finally, we would like to inform you that in accordance with the applicable legislation you have the right to lodge a complaint with a supervisory authority, in particular in the EU country of your habitual residence, place of work or place of the alleged infringement it you consider that the processing of your personal data infringes the above mentioned regulations.

Appendix: SBFE Website Privacy Policy

Suntory Beverage & Food Europe (SBFE) is a regional construct which manages the operation of our European business units
In this policy any reference to the 'Company' relates to SBFE Business Unit and includes the following:

• Lucozade Ribena Suntory
• Lucozade Ribena Suntory Ireland
• Orangina Schweppes Belgium
• Schweppes Suntory Espana
• Schweppes Suntory Portugal
• Schweppes International Limited
• Orangina Schweppes Poland
• Citresa

This Privacy Policy explains how we use the personal information that the Company collects or generates both in relation to this website and our products and services.
The list below sets out what is covered in this Privacy Policy and you can click on the headings below to go to a specific section.

1. Background
2. The products and services we provide
3. The types of personal data we collect
4. How we use your information
5. Disclosure of your information to third parties
6. International transfers of personal data
7. How we safeguard your information
8. How long we keep your personal data
9. Your rights
10. Questions and concerns

1. Background

1.1 The Company with its registered office at SBFE EEIG, 40-52 boulevard du Parc 92200 Neuilly sur Seine, France collect and use certain Personal Data. The Company is responsible for ensuring that it uses that Personal Data in compliance with data protection laws.

1.2 We respect privacy and we are committed to keeping all your Personal Data secure. This Privacy Policy governs the handling of Personal Data by our Company in the course of carrying on commercial activities.

1.3 We use the following definitions in this Privacy Policy:

"Personal Data" means any data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, our Company (or its representatives or service providers). In addition to factual information, it includes any expression of opinion about an individual and any indication of the intentions of the Company or any other person in respect of an individual.

2. The products and services we provide

2.1 This Privacy Policy concerns the following categories of information that we collect about you when providing the following products and services:

(A) Information we receive through our websites;

(B) Information we receive through our activities;

(C) Information we receive through the manufacture and the sale of our products.

3. The types of personal data we collect

3.1 Many of the activities of our Company require us to obtain Personal Data about you in order to perform the services or obligations we have been engaged to provide. In relation to each of the activities, we will collect and process the following Personal Data about you:

• Information that you provide to us. This includes information about you that you provide to us. The kind of Personal Data we might ask for, may include (by way of a non-exhaustive list):
  - basic Personal Data (such as first name; family name; position in the company; company name; company email address; business phone number; business address; city; postcode; country);
  - any information that you choose to share on our Internet forums which may be considered Personal Data. (Please note that our Company does not collate information included on our Internet forums together with Personal Data from your User Center account or profile);
• Information that we collect or generate about you. This includes (by way of non-exhaustive list):
  - a file with your contact history to be used for enquiry purposes so that we may ensure that you are satisfied with the services which we have provided to you;
  - activity data relating to the use of protected documents, such as altering a document's permissions and information regarding the individual that performed the activity.
• Information we obtain from other sources.
• Cookies.
  - When you visit our Websites, cookies are used to collect technical information about the services that you use, and how you use them.
  - For more information on the cookies used by us please see our Cookie Policy of the website.
• Anonymized data
  - In addition to the categories of Personal Data described above, we will also process further anonymized information and data that is not processed by reference to a specific individual.
• Children
  We take children's privacy protection seriously. We operate this website in compliance with all applicable laws in the countries in which we operate business.
  Children under a certain age [please refer to your local age regulation] should have a parent/guardian's consent before providing any personal information to the website or using any of our products and services. We will not, as provided by applicable law, require or request children under this age to provide more personal information than is reasonably necessary to participate in the applicable activity on the website or participate in our products and services. If you are under the age as determined by the local age regulation, you will not be able to register in this Website.
  Our Company is not responsible for cases in which minor persons have sent all personal data through this website.

4. How we use your information

4.1 Your Personal Data may be stored and processed by us in the following ways and for the following purposes:

• for ongoing review and improvement of the information provided on our Websites to ensure they are user friendly and to prevent any potential disruptions or cyber-attacks;
• to assess your application for our business, where applicable;
• to set up customers for our business;
• to set up users to use the User Center;
• for statistical monitoring and analysis of current attacks on devices and systems and for the on-going adaptation of the solutions provided to secure devices and systems against current attacks;
• to understand feedback on our Products or Services and to help provide more information on the use of those Products and Services quickly and easily;
• to communicate with you in order to provide you with services or information about our business, our company and our Products ;
• for in-depth threat analysis;
• to understand your needs and interests;
• for the management and administration of our business;
• in order to comply with and in order to assess compliance with applicable laws, rules and regulations, and internal policies and procedures; or
• for the administration and maintenance of databases storing Personal Data.

4.2 However when we use Personal Data we make sure that the usage complies with applicable law and regulations and the law and regulations allow us and require us to use Personal Data for a variety of reasons. These include:

• we need to do so in order to perform our contractual obligations with customers;
• we have obtained your consent;
• we have legal and regulatory obligations that we have to discharge;
• we may need to do so in order to establish, exercise or defend our legal rights or for the purpose of legal proceedings;
• the use of your Personal Data as described is necessary for our legitimate business interests, such as:
  - allowing us to effectively and efficiently manage and administer the operation of our business;
  - maintaining compliance with internal policies and procedures;
  - monitoring the use of our copyrighted materials;
  - enabling quick and easy access to information on our Company, our business and our Products;
  - offering optimal, up-to-date security solutions for mobile devices and IT systems; and
  - obtaining further knowledge of current threats to network security in order to update our security solutions and provide these to the market.

4.3 We will take steps to ensure that the Personal Data is accessed only by employees of our Company that have a need to do so for the purposes described in this Privacy Policy.

5. Disclosure of your information to third parties

5.1 We may share your Personal Data within the Suntory group of companies for the purposes described above:

5.2 We may also share your Personal Data outside of the Suntory group for the following purposes:

• with our business partners. For example, this could include our partners from whom you or your company or your organisation purchased our Products. Personal Data will only be transferred to a business partner who is contractually obliged to comply with appropriate data protection obligations and the relevant privacy and confidentiality legislation;
• with third party agents and contractors for the purposes of providing services to us (for example, the Company's accountants, professional advisors, IT and communications providers and debt collectors). These third parties will be subject to appropriate data protection obligations and they will only use your Personal Data as described in this Privacy Policy;
• to the extent required by law and regulations, for example if we are under a duty to disclose your Personal Data in order to comply with any legal obligation (including, without limitation, in order to comply with tax reporting requirements and disclosures to regulators), or to establish, exercise or defend its legal rights;
• if we sell our business or assets, in which case we may need to disclose your Personal Data to the prospective buyer for due diligence purposes; and
• if we are acquired by a third party, in which case the Personal Data held by us about you will be disclosed to the third party buyer.

6. International transfers of personal data

6.1 Our Company is a global business. Our customers and our operations are spread around the world. As a result we collect and transfer Personal Data on a global basis. That means that we may transfer your Personal Data to locations outside of your country.

6.2 Where we transfer your Personal Data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. In relation to data being transferred outside of Europe, for example, this may be done in one of the following ways:

• the country that we send the data to might be approved by the European Commission as offering an adequate level of protection for Personal Data;
• the recipient might have signed up to a contract based on "model contractual clauses" approved by the European Commission, obliging them to protect your Personal Data;
• where the recipient is located in the US, it might be a certified member of the EU-US Privacy Shield scheme; or
• in other circumstances the law may permit us to otherwise transfer your Personal Data outside Europe.

6.3 You can obtain more details of the protection given to your Personal Data when it is transferred outside Europe (including a copy of the standard data protection clauses which we have entered into with recipients of your Personal Data) by contacting us as described in paragraph 10 below.

7. How we safeguard your information

7.1 We have controls in place to maintain the security of our information and information systems. Client files are protected with safeguards according to the sensitivity of the relevant information. Appropriate controls (such as restricted access) are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed or stored is limited to authorised employees.

7.2 As a condition of employment, our employees are required to follow all applicable laws and regulations, including in relation to data protection law. Access to sensitive Personal Data is limited to those employees who need it to perform their roles. Unauthorised use or disclosure of confidential SBFE entity information by one of our employees is prohibited and may result in disciplinary measures.

7.3 When you contact one of our employees about your file, you may be asked for some Personal Data. This type of safeguard is designed to ensure that only you, or someone authorised by you, has access to your file.

8. How long we keep your personal data

8.1 How long we will hold your Personal Data for will vary and will be determined by the following criteria:

• the purpose for which we are using it, for instance the duration of your contract with us - we will need to keep the data for as long as is necessary for that purpose; and
• legal obligations - laws or regulations may set a minimum period for which we have to keep your Personal Data.

9. Your rights

9.1 In all the above cases in which we collect, use or store your Personal Data, you may have the following rights and, in most cases, you can exercise them free of charge.

These rights include:

• the right to obtain information regarding the processing of your Personal Data and access to the Personal Data which we hold about you;
• the right to withdraw your consent to the processing of your Personal Data at any time. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason for doing so. For example, we may need to retain Personal Data to comply with a legal obligation;
• in some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit those data to a third party where this is technically feasible. Please note that this right only applies to Personal Data which you have provided directly to our Company;
• the right to request that we rectify your Personal Data if it is inaccurate or incomplete;
• the right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data but we are legally entitled to retain it;
• the right to object to, or request that we restrict, our processing of your Personal Data in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your Personal Data but we are legally entitled to refuse that request; and
• the right to lodge a complaint with the relevant data protection regulator if you think that any of your rights have been infringed by us.
• the right to provide us instructions regarding the processing of your personal data after your death.

9.2 You can exercise your rights by contacting us using the details listed in paragraph 10 below.

10. Questions and concerns

10.1 If you have any questions or concerns about us handling of your Personal Data, or about this Policy, please contact our Data Protection Officer using the following contact information:

Email Address: GDPR.Info@suntory.com

We are usually able to resolve privacy questions or concerns promptly and effectively. If you are not satisfied with the response you receive from our Data Protection Officer, you should, in the first instance, contact your local regulator. In the Netherlands, the relevant authority is the Autoriteit Persoonsgegevens:
Bezuidenhoutseweg 30
2594 AV Den Haag
Telephone number: 088 - 1805 250
Because we have offices in several different European locations, we have also registered a Supervising Lead Authority (SLA). Depending on the nature of your concern, the matter may be referred to our SLA:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 place de Fontenoy
75007
Paris.