RULES FOR THE USE OF THE WEBSITE and INFORMATION ON PERSONAL DATA PROCESSING

RULES FOR THE USE OF THE WEBSITE and INFORMATION ON PERSONAL DATA PROCESSING

Copyright

The owner and operator of the website www.starbucks.bg is the company AmRest EOOD, having its registered office at Sofia, 1, Momin Kladenets Str. floor 3, entered in the Commercial Register maintained at the Sofia District Court, file C 84710, Company Number 175395555, Taxpayer Identification Number: BG175395555 (hereinafter referred to as the “Company”).

The Company holds all copyrights to all content which the Company places on the website www.starbucks.bg (hereinafter referred to as the “Website”).

The rights and obligations of the Company and of the users when using this Website are governed by these Rules for the Use of the Website (hereinafter referred to as the “Rules”). The Rules apply to all persons who visit this Website (hereinafter referred to as “Users”). The Rules may be updated at any time. The date of updating the Rules shall be indicated on the final page of the Rules.

Links to other sites

Links are presented on the Website to websites over which the Company has no control. Should a User visit one of these websites, he/she should acquaint him/herself with the rules of using the website and with security standards. The Company is not liable for the expressions and procedures of the operators of such websites.

User conduct

The User undertakes, when using this Website, to respect the valid legal regulations of Bulgaria, to invariably act in accordance with good morals and with these Rules and not to damage in any way the repute and rights of the Company or of other Users.

Liability

Any risks arising for the User from using this Website are entirely the responsibility of the User and the Company is not liable for these. All disputes arising in connection with the use of the Website shall be resolved by the court having local and subject-matter jurisdiction over the Company in Bulgaria.

Information about personal data processing

Adherence to legal regulations regarding personal data protection

In the course of its activity, the Company processes certain personal data relating to its customers, Users, and its employees and assumes the role of personal data controller in relation to processing such personal data.

When processing personal data, the Company proceeds strictly in accordance with legal regulations, in particular REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “General Data Protection Regulation”).

The personal data processed, the purposes of processing

Customers

The Company normally does not process the personal data of customers when preparing and selling meals at its restaurants. Should a customer place an order with the Company for the delivery of food to a specific address, his/her contact data (first name, surname, place of residence / delivery address, e-mail address and telephone number) is processed based on the contract entered into with the customer, this for the purpose of processing the relevant order.

Apart from cases involving the delivery of food to the customer, the personal data of customers is processed only in cases in which the customer decides to use one of the Company’s loyalty programmes or to participate in one of the Company’s consumer competitions. In such case the personal data of customers (the processed personal data might include, depending on the specific case, the customer’s first name and surname, place of residence, e-mail address, date of birth, telephone number, payment details and, where appropriate, information about his/her order and the places at which purchases are made) is only processed with the consent of the customer, which the customer provides voluntarily in accordance with the rules of the relevant loyalty programme or consumer competition.

The personal data of customers is processed within the bounds of loyalty programmes for the purpose of making it easier to handle the orders of the relevant customer, marketing (for example, as part of the marketing campaigns of the Company, to provide information about new products, for the delivery of the Company’s commercial communications or to provide notification of prizes won and other benefits pertaining to the customer) and for the purpose of surveying customer satisfaction. Personal data is processed in the case of consumer competitions for the purpose of handing over prizes to the winners of a competition.

Website users

The Company uses cookies on its Website. Cookies help ensure faster and more effective browsing of the Website and adapt the displaying of products and other content to the individual interests and specific needs of the User. Cookies are used to compile anonymous aggregated statistics which make it possible to understand the way in which Users use the Website, and to thus optimise its structure and content, and to ensure certain functions of the Website and to personalise advertisements.

The Company uses two types of cookies – session cookies and persistent cookies. Session cookies are used temporarily and remain stored in the User’s device until such time as he/she signs out of the Website or closes the application (web browser). By contrast, persistent cookies remain in the User’s device either for the period of time defined in the parameters of the relevant cookie or until the User him/herself deletes them.

The information obtained through the use of cookies may only be collected for the purpose of mediating and performing certain user functions. This data is encrypted in a way which disables access to unauthorised persons.

It generally stands that the application used to browse the Website makes it possible to store cookies files in the User’s device in the default setting. This regime may be altered by either blocking cookies entirely in the settings of the web browser or by partially blocking them – the User is then informed each time his/her device stores cookies. More detailed information about the possibilities and ways of handling cookies is available in application settings (web browser).

The Website collects information about the User’s IP address (i.e. a number which unambiguously identifies the network interface of the User in the computer network), the name of his/her domain and the type of his/her browser and operating system. The purpose of processing this data is similar to that in the case of cookies, meaning that this data is used by the Company to compile statistics which analyse the use of the Website and to personalise advertising.

The personal data of Users is processed subject to their consent, which is voluntary and is provided by the User either when accessing the Website or is expected in connection with the use of the Website.

Employees

The Company processes the personal data of employees to the extent required for the fulfilment of their statutory obligations (for example, the obligation to deduct or levy tax, to keep records for the purposes of health insurance and social security, etc.). The employee is obliged to provide the Company with this data; failure to provide such data would constitute breach of legal regulations by the employee and/or the Company and would lead to the possibility of sanctions being imposed by the competent state bodies.

The Company processes the personal data of employees beyond the scope of that required by law only with their consent and as part of asserting the legitimate interests of the Company or performing the contract entered into by and between the Company and the employee, in particular for the purpose of processing personal data in the CVs of applicants for employment at the Company, the preparation of publicity materials, managing Company profiles on social networks, keeping records of the use of company cars at the Company, providing information about Company events, protecting the property of the Company (primarily using camera systems) or when ensuring access for authorised persons to Company premises.

The provision of data to other subjects

The Company only provides personal data which it has already processed to partners at which technical and organisational measures for the protection of data and fulfilment of the other obligations arising from the General Data Protection Regulation have been established. Company partners have access to personal data only to the extent required for the performance of their tasks. The Company therefore, in certain cases, provides personal data to other companies from the AmRest Group and to external partners that provide the Company with services relating to the placement of personal data on the common servers of the AmRest Group, the management of applications for loyalty programmes, the assurance of payments for purchases from the Company and the assessment of marketing surveys. The personal data of Company employees is provided to the external accounting firm which compiles accounting, tax and payroll records for the Company and, in isolated cases, to companies which provide the Company, and other companies in the AmRest Group, with services which allow Company employees to report cases of violation of legal regulations or cases in which the Company, its partners or other employees adopt(s) an unethical approach.

Under no circumstances does the Company provide personal data to other parties in exchange for payment.

The transfer of personal data abroad

The Company may transfer personal data to other countries within the European Union and, in certain cases, to other countries (USA) whether or not, in the case of such other countries, the European Commission has already decided on the level of protection of personal data equalling the level in existence in the European Union.

Personal data is transferred to other companies in the AmRest Group, if required in a specific case, based on a contract, pursuant to which the recipient of personal data undertakes to uphold a high standard of personal data protection (the transfer of personal data is based on “standard clauses” on the protection of personal data according to Article 46(2)(c) of the General Data Protection Regulation) and/or subject to the consent of the person whose personal data is transferred.

Data storage

The Company stores personal data only for the period of time required to achieve the purpose of its processing and does so according to the rules specified hereunder:

  • in the case of loyalty programmes, personal data is stored only for the period of duration of the customer’s participation in the loyalty programme;
  • the personal data of Users is stored for a maximum of two years following their last Website visit;
  • in the case of employees, personal data is stored for the archiving time limits laid down by law;
  • footage from security cameras is stored for a maximum period of ten days.

Withdrawing consent to the processing of personal data

If the Company processes the personal data of its customers, Users or employees subject to their consent, the person in question has the right to withdraw his/her consent to the processing of personal data. He/she may do this through the relevant application, in an e-mail sent to ivan.georgiev@amrest.eu or by post.

If consent to the processing of personal data is withdrawn, the data provided shall be deleted, unless it is possible to process the data even without the consent of the person in question based on valid legal regulations. However, withdrawal of consent shall not affect the processing of personal data until the time at which consent is withdrawn.

Other rights

The customer or the Company employee or the User may also enjoy the other rights arising from the General Data Protection Regulation according to the specific situation; i.e. the following rights:

  • the right to access personal data, i.e. the right to receive from the Company confirmation of whether personal data which concerns him/her is or is not processed and if so, he/she has the right to access such personal data and information about:
    • the purposes of processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipients to which personal data has been or shall be made available;
    • the planned period of storage of personal data or the criteria used to determine the length of this period;
    • the existence of the right to demand that the Company correct or delete personal data or restrict the processing of personal data and/or to lodge an objection against the processing of personal data;
    • the right to lodge a complaint with the supervisory authority;
    • the sources of personal data, if such data is not obtained from the applicant;
    • the execution of automated decision-making, including profiling, and about information to concern the procedure used and the meaning and expected consequences for the applicant;
    • the transfer of personal data to countries outside the European Union (so-called third countries) or to international organisations and about adequate guarantees regarding the processing of personal data provided in connection with the transfer of such data.
    • The customer or the Company employee or the User of the Website also has the right to obtain a copy of the processed personal data. However, the rights and freedoms of other persons may not be negatively affected by this right.
  • the right to the correction of personal data, if his/her personal data is inaccurate;
  • the right to the deletion of personal data (“the right to be forgotten”), if one of the following reasons exists:
    • personal data is no longer required for the purposes for which it was collected or otherwise processed;
    • withdrawal of consent to the processing of personal data and the non-existence of any further legal grounds for processing;
    • justified objections are brought to the processing of personal data;
    • personal data has been processed unlawfully;
    • personal data must be deleted in order for the legal obligations which bind the Company to be fulfilled;
    • personal data has been collected in connection with the offer of services of the information society to a child.
  • the right to restrict processing in the following cases:
    • the accuracy of personal data is contested, for the period of time required for the Company to verify the accuracy of personal data;
    • the processing of personal data is unlawful, but the restriction of use of such personal data is demanded instead of its deletion;
    • the Company no longer requires the personal data for the purposes of processing, but the applicant requires it for the specification, execution or defence of legal claims;
    • an objection has been lodged against processing in the case of processing personal data for the purposes of the legitimate interests of the Company, until such time as it has been verified whether or not the legitimate grounds of the Company prevail over the legitimate grounds of the person lodging the objection.
  • the right to data portability, i.e. the right to obtain personal data to concern him/her in a structured, commonly-used and machine-readable format and the right to transfer such data to another controller (or to request the transfer of data from the Company to another controller) in the case that personal data processing is based on consent or on a contract and is conducted automatically;
  • the right to lodge an objection, i.e. the right to lodge a complaint against the processing of personal data for the purposes of the legitimate interests of the Company; and
  • the right to lodge a complaint with the Office for Personal Data Protection (Úřad pro ochranu osobních údajů) or, where appropriate, with the competent office of another European Union State.

The customer or Company employee or User of the Website may exercise its rights by contacting the Company. The contact details of the Company are presented below.

How you can contact us

You can contact the Company with any questions or remarks you might have at the address specified above, by calling +359 888 353 250 or by e-mail at ivan.georgiev@amrest.eu.

You can also contact the Data Protection Officer for the Company, Todorka Maratilova, e-mail: Todorka.maratilova@amrest.eu, mobile: +359 894 521 578 in connection with the processing of personal data at the Company.


Sofia, 20.4.2018