1. Introduction

CANPACK Group is a leading manufacturer in the beverage packaging industry, glass and metal packaging and also crown caps. CANPACK is committed to conduct its business in compliance with applicable privacy and data protection law on every stage of its activity.

Several CANPACK Group members are located in the European Union, including the group parent company CANPACK S.A. with its registered seat in Poland. The list of CANPACK Group EU companies is available here: (each company hereinafter referred to separately as: “CANPACK”).

This Privacy Notice explains for what purposes and how CANPACK collects personal data about data subjects, as well as how we protect the personal data and for how long we will retain it and what rights the data subjects have under the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („GDPR”).

2. Purposes of the processing

CANPACK processes the personal data in order to:

  • Hire employees;
  • Perform employment contracts;
  • Contact current and prospecting customers, suppliers, and other persons by e-mail, telephone, fax and other means, as well as perform contracts with them;
  • Comply with its legal obligations;
  • Perform other activities arising from the course of business

If you are applying for a job at CANPACK via our web-site at, you will find the relevant Privacy Notice on processing of personal data within recruitment process there.

CANPACK employees are acquainted with the information about processing of their personal data by HR Department according to CANPACK internal procedures.

3. Data controller of the personal data

The data controller of the personal data is the CANPACK Group company with whom a data subject or an entity at which a data subject is employed or works for is doing business or intends to do business or is in other relationship.

It may happen that two or more CANPACK Group companies will determine the purposes and means of processing of the personal data, being the so-called joint controllers. In such cases CANPACK S.A. with registered seat in Poland, 1 Jasnogórska Str., 31-358 Krakow shall be responsible for providing adequate information to the data subjects and for managing and answering requests submitted by the data subjects.

4. Legal basis for the processing

The personal data are processed on the following legal grounds:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • performance of a contract to which a data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • compliance with a legal obligation to which CANPACK is subject;
  • for the purposes of the legitimate interests pursued by CANPACK – in order to ensure continuity, efficiency and security of its business activity, as well as for the establishment, exercise or defence of legal claims or for marketing purpose.

5. Categories of personal data processed

The processing of personal data includes the following:

  • Standard contact data (like telephone number, e-mail address, name, title, physical address, etc.)
  • Name and address of a business activity
  • Account number
  • Name of an employer, job position
  • Fees and expenses to be reimbursed

6. Source of the personal data

When a data subject concludes a contract with CANPACK, the initial data is likely to come from this data subject. We may also receive the personal data from a data subject’s employer, a web-site or other publicly accessible sources, if such data subject’s personal data are required for a performance of a contract, submitting an offer or asking a question about particular services.

7. Data recipients


Within the scope of CANPACK’s internal authorisations and on a need-to-know basis only, the personal data may be disclosed to the persons responsible for contact with customers and suppliers, e.g. finance and tax departments, as well as legal, HR, internal audit and IT.

In certain cases, if necessary for a performance of a contract or for security, compliance or other legitimate reasons, CANPACK may make the personal data available to its subsidiaries or affiliates. As part of the Giorgi Global Holdings, Inc. (“GGH”) capital group, within the framework of a corporate governance, CANPACK may also in certain cases make the personal data available to GGH or its subsidiaries in the USA.


For the above-mentioned purposes, the personal data may be disclosed to third parties such as:

  • banks for payment transactions
  • cloud providers for data stored in the cloud
  • data service providers who are responsible for providing support to our IT, HR, enterprise management, and data infrastructure
  • other professional advisors, like IT or auditing service providers

The external recipients are required to respect the confidential nature of the data and may only use them according to CANPACK’s instructions when processing personal data on behalf of it as data processors or according to the applicable law when acting as data controllers.

8. Security

CANPACK has applied adequate organizational and technical measures in order to ensure that the personal data are protected in accordance with the GDPR. Those measures shall be reviewed and updated where necessary. CANPACK’s employees are obliged to protect the personal data according to CANPACK’s Global Security Policy, in particular to treat them as strictly confidential and process them to the extent necessary for the performance of the above-mentioned purposes.

9. Transfers of the personal data to third countries

Personal data may be processed outside the European Economic Area (EEA). When processed outside the EEA, CANPACK will make sure that this cross-border data processing is protected by adequate safeguards. The safeguards that we use to protect cross-border data processing include:

  • standard contractual clauses for protection of personal data approved by the European Commission, providing appropriate and suitable safeguards for the transfer. These standardized contractual clauses provide sufficient safeguards to meet the adequacy and security requirements of the European General Data Protection Regulation. You can find the standard contractual clauses on the European Commission web-site:; or
  • certifications which demonstrate that third parties outside of the EEA process personal data in a way that is consistent with the European General Data Protection Regulation. These certifications are approved either by the European Commission, a competent supervisory authority or a competent national accreditation body in terms of General Data Protection Regulation.

Data subjects may receive the copy of the personal data transferred to the third countries at

10. The period for which the personal data will be stored

As a rule, the personal data are stored during the course of a given contractual relationship with CANPACK, as well as during a term subsequent to the end of such relationship in accordance with applicable statutory retention and limitation periods and document retention policies which result, amongst others, from civil, commercial and tax law as well as corporate governance and policies. Please note that specific legal or corporate requirements may require longer retention periods, e.g. obligation to safeguard evidence in case of claims.

Personal data that we are processing based on a data subject’s consent will be kept for unlimited period of time (or until the consent is revoked), unless otherwise prescribed by applicable legal requirements and presuming that it is necessary for the purpose of processing.

11. Data subject’s rights

The data subject has at any time the right to contact CANPACK if he or she wants to exercise his/her right of access to the personal data, rectification of the personal data, erasure of the personal data, right to restriction of processing, right to data portability. The data subject has also the right to object to processing.

The data subbject has the right to withdraw his/her consent to the processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

The data subject also has a right to lodge a complaint with the supervisory authority.

12. Contact data

Your contact at CANPACK for any further information about this Privacy Notice and your rights is CANPACK Group Data Protection Representative at