STARBUCKS PRIVACY INFORMATION NOTICE

 

Last version: 10th April 2019

 

 

This privacy information notice (“Privacy Policy”) – provided pursuant to EU Regulation on Data Protection 2016/679 (“GDPR”) and Legislative Decree 196/2003 (“Privacy Code”) as amended by Legislative Decree 101/2018 – has as its object the personal data of applicants (“Applicants”) collected through the website Milan Starbucks Reserve Roastery Careers available at www.starbucksreservecareers.it (“Website”) and, more broadly, to personal data of users visiting the Website. The Website contains various information concerning the Milan Starbucks Reserve Roastery and the potential vacancies for which the Applicants may apply.

 

As prescribed under article 111-bis of the Privacy Code, whenever an Applicant spontaneously submitted its resume, an appropriate privacy information notice shall be provided at the first contact following such submission.

 

Should the Applicant be hired by Starbucks or a company of the Group, a specific privacy information notice shall be provided.

 

For the purposes of this Privacy Policy the terms “Starbucks”, “we”, “us”, “our”, “to us”, shall refer to Starbucks Italy S.r.l., with registered office in Via Monte Napoleone 29, Milan (“Company”), acting as data controller which may be contacted as per Section 4 below. The expression “user’s device” or “device” means computer, tablet, smartphone or other device utilized by the user in order to access our websites. This Privacy Policy shall apply exclusively in relation to the Website.

In the event of changes to this Privacy Policy, we are committed to update the present page and the effective date accordingly.

 

PART 1 - GENERAL INFORMATION

 

1. What personal data are collected?

 

When visiting the Website, the following categories of personal data may be collected: (1) personal data provided by Applicants and users; (2) personal data collected by automated means, and (3) personal data collected from other sources. Such information may be collected while a user is visiting the Website or upon submission by the Applicant of his/her resume.

 

a) Personal data provided by Applicants and users

We collect certain personal data during the use of services. Such personal data may include, by way of example, first name and last name, e-mail address, postal address, telephone number, demographic information (e.g. gender), professional experience and background, educational background, job skills, personal interests, position(s) to which one is interested and any other information provided in the resume, in the cover letter thereto or similar documentation.

 

b) Personal data collected by automated means

We collect certain personal data by automated means, including when the user accesses the Website or anyhow makes use of the services. Such personal data, whose collection may require the user’s consent, includes as follows:

 

Data on the user’s device and its use - When using a computer, a tablet a smartphone or other devices in order to access the Website, certain data relating to the browser or the device operated by the user may be collected. Such information might include the kind of device in use, the operating system, the browser (such as Internet Explorer, Firefox, Safari, Chrome or other browsers), the internet provider, the domain name, the IP address, the device and the advertising identifiers on user’s mobile device, the website from which the user was redirected, the web pages viewed by the user (including the date and time viewed it), the accessing or using services or features (including the date and time the user accessed or used it). We use technical cookies and similar technologies to collect this information.

 

Localization data – As part of the application process, it may entail the provision of localization data for the purposes of potential relocation of the Applicant.

 

c) Personal data collected from other sources

Certain personal data may be collected from third-party companies or organizations in order to rectify possible inaccurate information.

 

2. What are the purposes of the processing activities and the related legal basis?

 

We might process the user’s personal data we collect for the following purposes:

a. evaluation of the professional profile of the Applicant for the purpose of establishing the employment or

collaboration relationship;

b. administrative-accounting purposes, in the preparatory phase for the possible stipulation of the employment

or collaboration contract;

c. in order to comply with applicable national and European legislation and/or to respond to requests from

public authorities;

d. perform statistical evaluations relating to the Applicant and the employment in an aggregated form;

 

(purposes from letter a) to d) are jointly referred to as “Evaluation Purposes”)

 

e. in order to exercise and enforce our rights;

f. to carry out a merger, a transfer of assets, a transfer of either a business or a branch of business,

communicating and transferring personal data of the Applicant to third party or parties involved;

 

(purposes from letter e) to f) are jointly referred to as “Legitimate Interest Purposes”)

 

Pursuant to article 111-bis of the Privacy Code and article 6, paragraph 1, letter b) of the GDPR, the processing activities carried out for the Evaluation Purposes are necessary as essential to determine whether the Applicant is to be hired or not as well as to comply with applicable laws. Failure by the Applicant to provide his/her personal data which are necessary for the Evaluation Purposes will prevent the Company from carrying out the evaluation of his/her professional profile and, therefore, from hiring him/her.

 

The processing of personal data for the Legitimate Interest Purposes is carried out in accordance with Article 6, paragraph 1, letter f) of the GDPR for the pursuit of the legitimate interest of the Company which is fairly balanced with the interests of the Applicant and users, since the processing of personal data is limited to what is strictly necessary for the Company to exercise its rights and to undertake the actions required. Processing for Legitimate Interest Purposes is not mandatory and, therefore, the right of objection may be exercised as per Section 4 below whereupon personal data may not be used for the Legitimate Interest Purposes unless the legitimate interests of the Company prevail over the Applicants and/or user ones.

 

With reference to the above purposes, the processing of personal data will be carried out both via information technology and paper-based instruments.

 

3. Communication framework relating to user’s personal data

 

The personal data may be processed by the following categories of external third parties placed whether in the European Economic Area (EEA) or, subject to the limits outlined in Section 10 below, outside of it, acting either as independent data controller or as data processor, depending on the circumstances and in the following scenarios:

 

a. Cooperation between companies – Personal data may be shared between companies of the Starbucks Group, notably under Legitimate Interest Purposes.

 

b. Cooperation with service providers – Personal data may be accessed by providers of support services, such as the management of the Applicant, the analysis of his/her skills and educational background, as well as to communicate with the user and for other services including, by way of example, website hosting services, e-mail and postal address or other data analysis services.

 

c. Cooperation in the context of business operations – Should we be involved in mergers or other operations entailing the transfer of our business assets in whole or in part, subjects concerned by the negotiations or the transfer may access personal data of users.

 

d. Sharing to help protect our legitimate interests - Third parties may have access to personal data of the users if we believe that such sharing of information is required by law, necessary to execute our agreements or internal policies, or that it may help protect our rights, property or the security of Starbucks or the one of our customers or partners.

 

e. Sharing of personal data which is not user-identifier - We may share information about the user in anonymous form. By way of example, we may share information about the use of our Website in a way as not to identify the user whether directly or indirectly, or we may combine information concerning the user or the use of our services with similar information concerning other persons and share information in an aggregate form either for statistical analysis or other business purposes in a way as not to relate the information to the associated user.

 

 f. Collecting information about the use of our Website and services - We allow certain services providers to use the information collected on our Website and through our services in order to help us understand how users use our Website. Companies that use this information for such purposes neither match the information to the individual users nor cross/enrich the collected personal data with other data. In other words, statistical information coll ected by third parties regarding the use or performances of the Website is not matched or linked to the user.

 

Starbucks Italy S.r.l. has appointed Jupiter Advertising Limited as external data processor for the provision of services related to the Website. A list of all data processor appointed by Starbucks Italy S.r.l. is available at our headquarters.

 

4. What are the rights granted in relation to the processing of personal data?

 

Pursuant to articles 15 and following of GDPR, any data subject is granted the right to:

 

(a)obtain confirmation about the availability of personal data concerning him/her within the Company and to be informed about the content and source thereof;

(b)learn about the source of personal data, the purposes and modalities of the processing as well as the rationale applied to the processing activities carried out via electronic means;

(c)verify the accuracy of personal data concerning him/her and to request their rectification, completion or modification;

(d)obtain the erasure, the rendering in an anonymous form or the block of personal data possibly processed against the law, as well as to object to processing on legitimate grounds;

(e)ask the Company for the restriction of processing of personal data concerning him/her where

the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;

the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claim;

the data subject has objected to processing pursuant to Article 21, paragraph 1 of GDPR, pending the verification whether the legitimate grounds of the Company override those of the data subject.

(f) Object to processing of personal data concerning him/her for Legitimate Interest Purposes, unless the Company has compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

(g) ask for the erasure of personal data concerning him/her without undue delay;

(h) to obtain a copy of personal data concerning him/her in a machine-readable format, whenever the data subject is willing to receive or to transmit such data to another data controller, where the Company processes personal data on the basis of the employment contract or the processing of personal data is carried out by automated means.

Pursuant to article 2-terdecies of the Privacy Code, in case of decease of the Applicant the above rights relating to personal data concerning him/her may be exercised by those who have their own interest, act for the protection of the data subject as a representative of him/her or act for family reasons worthy of protection. The Applicant may expressly prevent the successors from exercising the above rights by submitting a written statement to the Company to the e-mail address below. Such statement may be subsequently withdrawn or amended in the same way.

 

The Applicant (or its successor, within the limits depicted above) or the user may exercise the data protection rights at any time and free of charge by submitting a specific request to the e-mail address privacy@starbucks.com. Furthermore, it is possible to contact Starbucks Customer Relations via e-mail to the address customerfirst@starbucks.com.

 

Eventually, it is possible to submit a complaint to the Italian data protection authority “Garante per la Protezione dei Dati Personali” (www.garanteprivacy.it).

 

5. Cookies and similar technologies

 

We and others may use a variety of technologies to collect information about the user’s device and the use of our Website. These technologies include cookies and java scripts. Most network browsers may be programmed to accept or reject the use of some or all these technologies, even if the user needs to take further action to disable or control other technologies. For more information please see Part II - "User Preferences" of this Privacy Policy.

 

Cookies – Cookies are small data files sent by the server of a website and saved on the hard disk of the user's device only for the duration of the visit ("session cookie") or for a fixed period of time ("persistent cookies"). Cookies contain information that can be read by a network server afterwards.

 

Java scripts - Java scripts are snippet codes embedded in various parts of websites and applications that facilitate a variety of operations, including accelerating the update rate of certain features or monitoring the use of various online components.

 

Those and other similar technologies will be employed for the following purposes:

 

Services and functionalities – Some of these technologies are necessary to allow the user to access and use the Website as well as the various services and functionalities we offer. Without these technologies, certain services and functionalities of the Website would not work properly.

 

Monitoring of performances – Some of these technologies help us to analyze and assess the traffic and determine the volume of usage of the services and functionalities we offer. They show us how visitors and customers interact with our digital resources, the occurrence of shortcomings, the level of access and utilization of web pages, applications, services or functionalities and how they work or operate. No information identifier of the user is collected when these technologies are employed for the purpose of monitoring performances: these technologies are indeed used only to help us improve the modes in which the Website is used.

 

User-friendliness – Some of these technologies increase the user-friendliness level of the Website as well as the services and functionalities which they make available, speeding up the uploading and updating and memorizing information provided by the user in the course of previous visits to the Website or during the last use of a service.

 

The above-mentioned cookies are considered technical cookies and are used on the Website:

 

 

 

The user may disable technical cookies referred to in the above chart by clicking on the related links. However, please note that by disabling the cookies the use of the Website on the part of the user could be undermined.

 

6. Storage of user’s data

 

Personal data of Applicants will be stored for a period necessary for the pursuit of the purposes for which the personal data are processed, in conformity with the present Privacy Policy. At all events, the period at stake will not exceed 12 (twelve) months, except where a further period is required for possible legal proceedings, request from competent authorities or pursuant to applicable laws.

 

PART II – USER PREFERENCES

 

7. Cookies and similar technologies

 

In addition to the information previously provided, the user may disable the cookies by changing the browser settings. Every browser is different, although the most common ones (Internet Explorer, Chrome, Firefox and Safari) have preferences and options which might be changed in order to enable the user to accept or reject cookies and other certain technologies before they are set up or installed as well as to enable the user to remove or reject the use or the installation of certain technologies. If you want to know the correct way to change your browser settings, please use your browser's Help menu or visit the following links:

 

Google Chrome: https://support.google.com/chrome/answer/95647

Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies Safari: https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website-data-sfri11471

 

8. Technology“Do Not Track”

 

In conformity with the present Privacy Policy, certain latest browsers have made available the “Do Not Track” option whereby the visited websites are warned with a “Do Not Track” notice hence indicating that a user does not want to be tracked. As of today, we do not reply to the “Do Not Track” browser signals.

 

9. Use by children

 

The Website and the online services are not addressed to children under the age of 16 (sixteen). Parents or tutors who believe that personal data relating to their children are collected, are requested to contact us as per Section 4.

 

10. Transfer of personal data to third countries / EU-U.S. Privacy Shield

 

Personal data may be openly transferred outside of the national territory or to other countries of the European Union. Possible transfer to third countries outside the European Union may occur where necessary for the purposes referred to in Section 2 or, for instance, where the Company decides to locate its business server or databases outside the European Union or to avail itself of subjects placed abroad for the provision of outsourcing services. Such transfer will occur, in any case, in compliance with the appropriate safeguards foreseen by the applicable laws (i.e. by adopting standard data protection clauses or binding corporate rules on the basis of applicable laws and in conformity with the provisions laid down in articles 45, 46, 47 and 49 of the GDPR).

Starbucks Corporation adheres to and is provided with the relevant certificate of conformity with the EU-U.S. Privacy Shield (“Agreement”). Starbucks is responsible for the processing of personal data collected and subsequently transferred to third parties acting on its behalf pursuant to the Agreement. Within the framework of the execution of the Agreement, Starbucks undergoes the surveillance of the Federal Trade Commission and, in certain circumstances, may be requested to disclose personal data following legitimate calls from public authorities, also in order to fulfil national security requirements or legal obligations.

 

For further information on the Agreement please visit the following page https://www.privacyshield.gov/list.

 

For any issue on data protection matters or data usage please contact our responsible for the dispute settlement based in the U.S. (providing a free-of-charge assistance service) at the following link https://feedback- form.truste.com/watchdog/request

 

Data Protection Officer

 

The data protection officer pursuant to articles 37 and following of the GDPR can be contacted at the e-mail address privacy@starbucks.com.