STARBUCKS PRIVACY INFORMATION NOTICE
Last version: 10th April 2019
As prescribed under article 111-bis of the Privacy Code, whenever an Applicant spontaneously submitted its resume, an appropriate privacy information notice shall be provided at the first contact following such submission.
Should the Applicant be hired by Starbucks or a company of the Group, a specific privacy information notice shall be provided.
PART 1 - GENERAL INFORMATION
1. What personal data are collected?
When visiting the Website, the following categories of personal data may be collected: (1) personal data provided by Applicants and users; (2) personal data collected by automated means, and (3) personal data collected from other sources. Such information may be collected while a user is visiting the Website or upon submission by the Applicant of his/her resume.
a) Personal data provided by Applicants and users
We collect certain personal data during the use of services. Such personal data may include, by way of example, first name and last name, e-mail address, postal address, telephone number, demographic information (e.g. gender), professional experience and background, educational background, job skills, personal interests, position(s) to which one is interested and any other information provided in the resume, in the cover letter thereto or similar documentation.
b) Personal data collected by automated means
We collect certain personal data by automated means, including when the user accesses the Website or anyhow makes use of the services. Such personal data, whose collection may require the user’s consent, includes as follows:
Data on the user’s device and its use - When using a computer, a tablet a smartphone or other devices in order to access the Website, certain data relating to the browser or the device operated by the user may be collected. Such information might include the kind of device in use, the operating system, the browser (such as Internet Explorer, Firefox, Safari, Chrome or other browsers), the internet provider, the domain name, the IP address, the device and the advertising identifiers on user’s mobile device, the website from which the user was redirected, the web pages viewed by the user (including the date and time viewed it), the accessing or using services or features (including the date and time the user accessed or used it). We use technical cookies and similar technologies to collect this information.
Localization data – As part of the application process, it may entail the provision of localization data for the purposes of potential relocation of the Applicant.
c) Personal data collected from other sources
Certain personal data may be collected from third-party companies or organizations in order to rectify possible inaccurate information.
2. What are the purposes of the processing activities and the related legal basis?
We might process the user’s personal data we collect for the following purposes:
a. evaluation of the professional profile of the Applicant for the purpose of establishing the employment or
b. administrative-accounting purposes, in the preparatory phase for the possible stipulation of the employment
or collaboration contract;
c. in order to comply with applicable national and European legislation and/or to respond to requests from
d. perform statistical evaluations relating to the Applicant and the employment in an aggregated form;
(purposes from letter a) to d) are jointly referred to as “Evaluation Purposes”)
e. in order to exercise and enforce our rights;
f. to carry out a merger, a transfer of assets, a transfer of either a business or a branch of business,
communicating and transferring personal data of the Applicant to third party or parties involved;
(purposes from letter e) to f) are jointly referred to as “Legitimate Interest Purposes”)
Pursuant to article 111-bis of the Privacy Code and article 6, paragraph 1, letter b) of the GDPR, the processing activities carried out for the Evaluation Purposes are necessary as essential to determine whether the Applicant is to be hired or not as well as to comply with applicable laws. Failure by the Applicant to provide his/her personal data which are necessary for the Evaluation Purposes will prevent the Company from carrying out the evaluation of his/her professional profile and, therefore, from hiring him/her.
The processing of personal data for the Legitimate Interest Purposes is carried out in accordance with Article 6, paragraph 1, letter f) of the GDPR for the pursuit of the legitimate interest of the Company which is fairly balanced with the interests of the Applicant and users, since the processing of personal data is limited to what is strictly necessary for the Company to exercise its rights and to undertake the actions required. Processing for Legitimate Interest Purposes is not mandatory and, therefore, the right of objection may be exercised as per Section 4 below whereupon personal data may not be used for the Legitimate Interest Purposes unless the legitimate interests of the Company prevail over the Applicants and/or user ones.
With reference to the above purposes, the processing of personal data will be carried out both via information technology and paper-based instruments.
3. Communication framework relating to user’s personal data
The personal data may be processed by the following categories of external third parties placed whether in the European Economic Area (EEA) or, subject to the limits outlined in Section 10 below, outside of it, acting either as independent data controller or as data processor, depending on the circumstances and in the following scenarios:
a. Cooperation between companies – Personal data may be shared between companies of the Starbucks Group, notably under Legitimate Interest Purposes.
b. Cooperation with service providers – Personal data may be accessed by providers of support services, such as the management of the Applicant, the analysis of his/her skills and educational background, as well as to communicate with the user and for other services including, by way of example, website hosting services, e-mail and postal address or other data analysis services.
c. Cooperation in the context of business operations – Should we be involved in mergers or other operations entailing the transfer of our business assets in whole or in part, subjects concerned by the negotiations or the transfer may access personal data of users.
d. Sharing to help protect our legitimate interests - Third parties may have access to personal data of the users if we believe that such sharing of information is required by law, necessary to execute our agreements or internal policies, or that it may help protect our rights, property or the security of Starbucks or the one of our customers or partners.
e. Sharing of personal data which is not user-identifier - We may share information about the user in anonymous form. By way of example, we may share information about the use of our Website in a way as not to identify the user whether directly or indirectly, or we may combine information concerning the user or the use of our services with similar information concerning other persons and share information in an aggregate form either for statistical analysis or other business purposes in a way as not to relate the information to the associated user.
f. Collecting information about the use of our Website and services - We allow certain services providers to use the information collected on our Website and through our services in order to help us understand how users use our Website. Companies that use this information for such purposes neither match the information to the individual users nor cross/enrich the collected personal data with other data. In other words, statistical information coll ected by third parties regarding the use or performances of the Website is not matched or linked to the user.
Starbucks Italy S.r.l. has appointed Jupiter Advertising Limited as external data processor for the provision of services related to the Website. A list of all data processor appointed by Starbucks Italy S.r.l. is available at our headquarters.
4. What are the rights granted in relation to the processing of personal data?
Pursuant to articles 15 and following of GDPR, any data subject is granted the right to:
(a)obtain confirmation about the availability of personal data concerning him/her within the Company and to be informed about the content and source thereof;
(b)learn about the source of personal data, the purposes and modalities of the processing as well as the rationale applied to the processing activities carried out via electronic means;
(c)verify the accuracy of personal data concerning him/her and to request their rectification, completion or modification;
(d)obtain the erasure, the rendering in an anonymous form or the block of personal data possibly processed against the law, as well as to object to processing on legitimate grounds;
(e)ask the Company for the restriction of processing of personal data concerning him/her where
the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claim;
the data subject has objected to processing pursuant to Article 21, paragraph 1 of GDPR, pending the verification whether the legitimate grounds of the Company override those of the data subject.
(f) Object to processing of personal data concerning him/her for Legitimate Interest Purposes, unless the Company has compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
(g) ask for the erasure of personal data concerning him/her without undue delay;
(h) to obtain a copy of personal data concerning him/her in a machine-readable format, whenever the data subject is willing to receive or to transmit such data to another data controller, where the Company processes personal data on the basis of the employment contract or the processing of personal data is carried out by automated means.
Pursuant to article 2-terdecies of the Privacy Code, in case of decease of the Applicant the above rights relating to personal data concerning him/her may be exercised by those who have their own interest, act for the protection of the data subject as a representative of him/her or act for family reasons worthy of protection. The Applicant may expressly prevent the successors from exercising the above rights by submitting a written statement to the Company to the e-mail address below. Such statement may be subsequently withdrawn or amended in the same way.
The Applicant (or its successor, within the limits depicted above) or the user may exercise the data protection rights at any time and free of charge by submitting a specific request to the e-mail address firstname.lastname@example.org. Furthermore, it is possible to contact Starbucks Customer Relations via e-mail to the address email@example.com.
Eventually, it is possible to submit a complaint to the Italian data protection authority “Garante per la Protezione dei Dati Personali” (www.garanteprivacy.it).
5. Cookies and similar technologies
Cookies – Cookies are small data files sent by the server of a website and saved on the hard disk of the user's device only for the duration of the visit ("session cookie") or for a fixed period of time ("persistent cookies"). Cookies contain information that can be read by a network server afterwards.
Java scripts - Java scripts are snippet codes embedded in various parts of websites and applications that facilitate a variety of operations, including accelerating the update rate of certain features or monitoring the use of various online components.
Those and other similar technologies will be employed for the following purposes:
Services and functionalities – Some of these technologies are necessary to allow the user to access and use the Website as well as the various services and functionalities we offer. Without these technologies, certain services and functionalities of the Website would not work properly.
Monitoring of performances – Some of these technologies help us to analyze and assess the traffic and determine the volume of usage of the services and functionalities we offer. They show us how visitors and customers interact with our digital resources, the occurrence of shortcomings, the level of access and utilization of web pages, applications, services or functionalities and how they work or operate. No information identifier of the user is collected when these technologies are employed for the purpose of monitoring performances: these technologies are indeed used only to help us improve the modes in which the Website is used.
User-friendliness – Some of these technologies increase the user-friendliness level of the Website as well as the services and functionalities which they make available, speeding up the uploading and updating and memorizing information provided by the user in the course of previous visits to the Website or during the last use of a service.
The above-mentioned cookies are considered technical cookies and are used on the Website:
The user may disable technical cookies referred to in the above chart by clicking on the related links. However, please note that by disabling the cookies the use of the Website on the part of the user could be undermined.
6. Storage of user’s data
PART II – USER PREFERENCES
7. Cookies and similar technologies
In addition to the information previously provided, the user may disable the cookies by changing the browser settings. Every browser is different, although the most common ones (Internet Explorer, Chrome, Firefox and Safari) have preferences and options which might be changed in order to enable the user to accept or reject cookies and other certain technologies before they are set up or installed as well as to enable the user to remove or reject the use or the installation of certain technologies. If you want to know the correct way to change your browser settings, please use your browser's Help menu or visit the following links:
Google Chrome: https://support.google.com/chrome/answer/95647
Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies Safari: https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website-data-sfri11471
8. Technology“Do Not Track”
9. Use by children
The Website and the online services are not addressed to children under the age of 16 (sixteen). Parents or tutors who believe that personal data relating to their children are collected, are requested to contact us as per Section 4.
10. Transfer of personal data to third countries / EU-U.S. Privacy Shield
Personal data may be openly transferred outside of the national territory or to other countries of the European Union. Possible transfer to third countries outside the European Union may occur where necessary for the purposes referred to in Section 2 or, for instance, where the Company decides to locate its business server or databases outside the European Union or to avail itself of subjects placed abroad for the provision of outsourcing services. Such transfer will occur, in any case, in compliance with the appropriate safeguards foreseen by the applicable laws (i.e. by adopting standard data protection clauses or binding corporate rules on the basis of applicable laws and in conformity with the provisions laid down in articles 45, 46, 47 and 49 of the GDPR).
Starbucks Corporation adheres to and is provided with the relevant certificate of conformity with the EU-U.S. Privacy Shield (“Agreement”). Starbucks is responsible for the processing of personal data collected and subsequently transferred to third parties acting on its behalf pursuant to the Agreement. Within the framework of the execution of the Agreement, Starbucks undergoes the surveillance of the Federal Trade Commission and, in certain circumstances, may be requested to disclose personal data following legitimate calls from public authorities, also in order to fulfil national security requirements or legal obligations.
For further information on the Agreement please visit the following page https://www.privacyshield.gov/list.
For any issue on data protection matters or data usage please contact our responsible for the dispute settlement based in the U.S. (providing a free-of-charge assistance service) at the following link https://feedback- form.truste.com/watchdog/request
Data Protection Officer
The data protection officer pursuant to articles 37 and following of the GDPR can be contacted at the e-mail address firstname.lastname@example.org.