Find a store

Privacy Policy
 

AmRest Coffee EOOD accepts and adheres to the established and published policies and general terms and conditions for personal data protection of members of the AmRest Group.

By using the website – www.starbucks.bg, you agree to the terms and conditions regarding the collection, use and disclosure of your personal data in accordance with this Privacy Policy.

Information about the personal data controller

AmRest Coffee EOOD (hereinafter referred to as Controller, AmRest, We, Us, the Company) is a sole proprietor limited liability company entered in the Commercial Register with UIC 175395555, with registered office and address for correspondence: Sofia, Boyanski Vodopad 20 st.

How to contact Us:

In case of any inquiries, comments or submissions concerning the processing of your personal data, please contact AmRest by sending a message to [email protected] or to the registered office of the company at the address Sofia, Boyanski Vodopad 20 st.

AmRest Coffee EOOD also appointed a Data Protection Officer – Snejana Ivanova, telephone: +359 885103173, e-mail address: [email protected]

 

Supervising body contact information

Commission for Personal Data Protection

Address: Sofia 1592, 2 Tsvetan Lazarov Blvd.

Website: www.cpdp.bg

 

It is recommendable that you spared time to acquaint yourself with this Privacy policy and to review it periodically because we could change it sporadically.

 

1. Scope

The protection of your personal data is of high priority for AmRest. This Privacy policy reveals how AmRest collects, stores, processes, protects, uses and discloses personal and other data collected about you in writing, orally, electronically or while using the website www.starbucks.bg (with any other all future websites operated by or on behalf of AmRest, hereinafter referred to as the „Website”). Our personal data protection practices are in accordance with the applicable Bulgarian data protection legislation and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

 

2. Main definitions

For the purposes of this Privacy policy, the following terms are used:

"Personal data" is any information concerning an identified or identifiable natural person, including but not limited to: (a) first name or initial and last name; (b) a unique PIN; (c) a permanent or current address; (d) telephone number; (e) email address or online identifier associated with the person; (f) financial, health or professional data; (g) behavioral or demographic characteristics when linked to personal identifiers; (h) voice data and video or (i) any other information relating to an individual when combined with any of the above.

Other data, as determined by the applicable law, which may be anonymized and/or summarized, as well as any other information that does not reveal the identity of the individual or in not directly linked to it. Other data may be, but are not limited to: cookies, IP address and information derived from IP addresses, information contained in HTTP headers. Other data stored by Internet protocols, browsers or various devices, operating systems and information used by „APPS” applications on your mobile device, screen resolution, behavioral data for your use of the sites and preferred languages.

Processing of personal and other data means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration, use, disclosure by transmission, dissemination or otherwise making available or other means by which data become available, arranged or combined, restricted, deleted or destroyed;

Sensitive personal data are types of personal data that may include, but are not limited to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Providers of goods and services are third parties that we use under contractual relations to fulfill our legal obligations, to conduct our business activities and to provide you with many of our services, functions and aspects of the Website.

3. What personal and other data do we collect

Our privacy policies depend on the type of relationship you have with AmRest and on the legal requirements. We strive to collect personal and other data only to the extent necessary to provide you with the products, services or information you have requested or for the recruitment of the necessary personnel for the proper functioning of the Company. We may use the information to improve the functioning of our Website in accordance with this Privacy policy. Below are the reasons and some of the ways we collect and use information.

Your personal data may also be collected in connection with client programs and games organized by AmRest on various social networks. Each Client program and Game has individual terms and conditions with detailed description of the rules, the prizes, the required personal data to be collected, the collection methods, the storage periods and purposes of the processing.

When organizing such Client Programs and Games, AmRest also complies with the general rules for personal data protection set by the particular social platform on which the Game is distributed. Usually, but not only this is Facebook.

3.1. Users

AmRest collects user data in various ways. In all cases, we only collect only personal data that you have voluntarily provided and we do not collect any other data that has not been provided to us without your voluntary consent.

3.1.1. Personal data voluntarily provided by you

You may choose to communicate with us and to provide personal data such as your:

  • names, email and postal address, telephone and/or mobile number, city, postal code and other contact information.

3.1.2. What are the purposes of using your personal data

AmRest uses the above data when provided by users in the cases of:

  1. performance of contract concluded with a client, including delivery of goods and services;
  2. submission of opinions, complaints, suggestions, objections, etc. by the customers;
  3. customer satisfaction surveys;
  4. providing responses;
  5. connection to the Wi-Fi network provided by Starbucks establishments;
  6. contacting us by phone, email, or post with questions, recommendations or complaints.
  7. to answer your questions and complaints regarding the quality of the offered goods;
  8. in relation with Client programs and in case you are a winning participant in the Games organized by AmRest.

AmRest does not collect personal data of its customers unless they contact us directly. In order to adequately respond to customer questions, personal data may be exchanged with the AmRest group.

3.1.3. Other data collected automatically

We collect data automatically through the Website. However, if we combine your personal data with the data we collect automatically (e.g., geographical location of your IP address and if we match it with the behavioral information about your use of the Website and your name) we treat this data as personal.

AmRest and their online advertising and marketing partners may use various technologies to collect information, including:

3.1.4. Cookies

Like many other websites, we also use devices that collect data, such as cookies. We collect these data to analyze the traffic to our site and to measure the effectiveness of the offered promotions. The cookie is a text string sent by the Website to the cookies file on the hard disk to your computer so that the Website can remember you.

The cookie typically contains the domain name from which the cookie came from, the cookie's „lifecycle” and a value that typically is a randomly generated unique code.

This allows us This helps us to provide you better use of our Website and also allows us to improve our services.

Some important things that you should know about the cookies:

AmRest offers certain features that are accessible only through the use of cookies.

  • they are used to improve the use of the Website.
  • most cookies are „session cookies” meaning they are automatically deleted from your hard drive at the end of the session.

You may accept or decline the cookies by changing your browser settings. If you decline the cookies, this may prevent you from using all the website's interactive features.

3.1.4. Internet Protocol (“IP”) Addresses

The IP address is associated with your computer or your mobile device. AmRest may use your IP address to help diagnose problems with the AmRest server, to administer the Website and to maintain contact with you while you use the Website.

3.2. Potential employees

If you wish to be a part of the team of AmRest and to submit a job application or your CV, we will process and store the personal data entered in the said documents for a period not longer than 6 months after the recruitment is completed. The collected personal data may contain, but are limited to:

  • Identification: names, address, phone number, e-mail address, date of birth, citizenship;
  • Education and professional qualification: data related to education, employment history, professional and personal qualifications and skills, where necessary and required for the position.

These personal data are stored in accordance with the privacy rules provided when applying for a job at AmRest.

3.3. Employees

AmRest processes the following personal data of its employees:

  • Identification: Three names, PIN, date of birth, permanent address, education and professional qualification; professional experience, bank account number;
  • Health data, including medical certificates of all employees and data from the personal health certificates of the employees working directly with food;
  • Data about judicial history - certificates of no conviction.

These personal data are stored in accordance with the internal rules for data protection of AmRest.

 

3.4. Contractors and providers

Regarding our providers of goods and services who are natural persons /such as freelancers/ and the representatives or the contact persons of our providers of goods and services who are legal entities, AmRest processes the following personal data:

  • Identification: names, PIN, address, phone number, e-mail address, date of birth;
  • Professional activity: position, status;

These personal data are stored in accordance with the internal rules for data protection of AmRest.

 

3.5. Visitors of premises

Regarding the persons who visit the premises of AmRest where there is CCTV, AmRest processes the following personal data:

  • Identification: voice data and video image;

These personal data are stored in accordance with the rules of AmRest for personal data protection during CCTV and monitoring.

 

4. How we collect data

Customers

The company does not usually process personal data of customers when preparing and selling beverages and food at its stores.

Personal data of customers are processed when the customer chooses to participate in any of the programs or games organized by the Company. In this case, the customer personal data (the processed personal data may include, as the case may be, the customer's first and last name, current address, email address, date of birth, telephone number, payment information and, where applicable, information about the order and the place of purchase) are processed only with the consent of the customer, provided voluntarily in accordance with the rules of the respective program and game.

The personal data of the customers are processed within client programs for the purpose of facilitating the execution of the orders of the specific customer, for marketing (for example as part marketing campaigns of the company, for providing information about new products, for delivering commercial information about the Company or for notification about awards or other winnings of the customer) and for the purpose of tracking the customer satisfaction.

The customer personal data (the processed personal data may include, as the case may be, the customer's first and last name, current address, email address, date of birth, telephone number, payment information and, where applicable, information about the order and the place of purchase) are processed also when the customer contacts the company about expression of opinions, complaints, proposals, objections, etc.

 

Users of the Website

The Company uses cookies on its Website. The cookies provide faster and more efficient browsing of the Website and customize the display of products and other content to the personal interests and the specific needs of the user. The cookies are used to collect accumulated anonymous statistics enabling understanding of the way of using the Website and allowing optimization of its the structure and contents, as well as for providing certain features of the Website and customization of the ads.

The company uses two types of cookies – temporary (session) and permanent cookies. The session cookies are used temporarily and are stored on the user's device until he exits the websites or closes the application (the web browser). In contrast, the permanent cookies remain on the User's device for the time specified in the parameters of the respective cookie or until the User deletes them.

The information obtained through the use of cookies may only be collected for the purposes of mediating and performing certain user functions. These data is encrypted in a way that prevents unauthorized persons from accessing them.

Typically, the application used to browse the Website allows storage of the cookies files on the User's device according to the original settings. This mode can be changed either by blocking the cookies completely in web browser settings or by blocking them partially – in this case, the User is notified every time the device stores cookies. More detailed information about the cookie management is available in the application settings (the web browser).

The website collects information about the user's IP address (i.e. the number that unambiguously identifies the network interface of the computer network to the User), the domain name, the type of web browser and the operating system. The purposes of processing these data are similar to the cookies, which means that these data are used by the Company for collection of statistics to analyze the use of the Website and to customize the ads.

The personal data of the user are processed if there is consent given voluntarily by the user by loading the Website or implicitly expected in connection with the use of the Website.

Employees and potential employees

The company processes the personal data of employees and potential employees to the extent necessary for recruitment and employment and for fulfillment of its legal obligations (e.g. the obligation for withholding or taxation, to keep files for health and social security, etc.) The employee is obliged to provide this information to the Company. The failure to provide these data is considered a violation of the statutory requirements by the employee and/or the Company and may lead to sanctions by the competent public authorities.

The Company processes the personal data of the employees for other than the legitimate purposes only with their consent and as part of the verification of the legitimate interests of the Company or the execution of the contract concluded by and between the Company and the employee, in particular for the purposes of processing personal data in the CVs of the job applicants, preparation of promotional materials, management of the Company profiles on social networks, keeping records for the use of Company's cars, providing information of events of the Company, protection of the property of the Company (mainly the use of CCTV systems) or in providing to authorized persons access to the premises of the Company.

 

5. What do we do with the personal and other data we collect

First, we use the data you provide or that we collect to provide you the products, services or information that you have requested. We also use the data to improve the functionality of our Website.

We may use your data to provide you information about products or services of AmRest or the AmRest group that may be of interest to you. In order to be able to automatically address the customers’ questions and to provide the servants offered through our Website, we may exchange information with our service providers.

We may provide your data to personal data processing accounting companies for the purpose of meeting AmRest's statutory obligations under the labour, social security, tax and administrative law. The provision of personal data by AmRest to personal data processors is done on the grounds and in connection with written contracts under which the processors have explicit obligations for confidentiality and for implementation of measures to protect the personal data processed on our behalf. The processors on behalf of AmRest guarantee that they do not use the information for purposes other than contractual and that they ensure data protection in accordance with applicable confidentiality requirements and the general principles of privacy described in the Privacy policy and defined by Regulation (EU) 2016/679 of 27.04.2016 and the Personal Data Protection Act.

 

6. Choice

You have the right to deny certain use and disclosure of your personal data, as set out in this Policy. AmRest will make every effort to obtain your explicit consent before disclosing sensitive data to a third party or before processing sensitive data for a purpose other than the initial one or for a purpose subsequently permitted by you. Where the consent to personal data processing is required by law or contract.

If you participate in a promotion, the personal data provided by you will be processed in accordance with the confidentiality rules applicable to that promotion if they differ from this Policy.

7. Where do we store your personal data

All personal information submitted and collected through the websites is stored on our servers, on the shared servers of the AmRest Group, on the servers of other controllers or processors with whom AmRest has recruitment contracts, or on the servers of our providers of goods and services. By using our websites you agree to that we store your data in the above locations.

7.1. Transfer of personal data to third parties

The company provides already processed personal data only to partners with established technical and organizational data protection measures and other obligations arising from Regulation (EU) 2016/679 of 27.04.2016 and the PDPA. The partners of the Company have access to personal data only to the extent necessary to fulfill their obligations. Therefore, in certain cases the Company provides personal data to other companies of the AmRest group and to external partners who provide services to the Company related to the entering of personal data on the shared servers of the AmRest group, the management of the applications for loyalty programs, the payments of purchases by the Company and analysis of marketing surveys. The personal data of the Company's employees are provided to the external accounting company, which collects the accounting and tax records and payrolls of the Company and in some cases to companies providing the Company and other companies of the AmRest group services allowing the Company's employees to report cases of violation of legal provisions or cases where the Company, its partners or its employees act unethically.

Under no circumstances the Company provides personal data to third parties for a fee.

7.2. Transfer of data to third countries

The Company may transfer personal data to countries outside the European Union and, in some cases to third countries (USA), regardless of whether there is a decision of the European Commission on the level of personal data protection in these third countries that is equivalent to the European one.

The personal data transferred to other companies of the AmRest Group, if necessary, on the basis of a contract under which the recipient of the personal data is obliged to maintain high standards of personal data protection (the transfer of personal data is based on the „standard clauses” for protection of personal data pursuant to Article 2 (c) of the General Data Protection Regulation) and/or subject to the consent of the person whose personal data is transferred.

Storage period. The personal data submitted by you are stored for a period that is not longer than is necessary for the purposes for which the data are processed.

 

8. How do we protect your data

AmRest implements organizational, physical, information technology and other necessary measures to ensure the security and protection of your personal data and the monitoring of personal data processing.

These security measures include also the following activities:

  • AmRest has established the requirements for the processing, registration and storage of personal data through internal procedures that are monitored on an ongoing basis;
  • the access of AmRest employees to personal data and the authorization to process personal data in the AmRest database is restricted depending on their duties;
  • AmRest has implied confidentiality obligations on its employees;
  • the access of each employee to the AmRest equipment and the computers is restricted.
  • we implement all necessary organizational and technical measures provided by the Personal Data Protection Act, as well as best practices of the international standards.
  • For maximum security of the processing, transferring and storing your data, we may use additional security mechanisms, such as encryption, pseudonimization, etc.

Our security measures are subject to continuous improvement and adaptation to the latest technologies.

 

9. Access

When permitted by the law, you may use any of the methods in Section 13 of this Policy to obtain confirmation that AmRest processes your personal data and to request access, rectification or erasure of personal data processed by us, including where the data is processed in breach of the principles of Regulation (EU) 2016/679 of 27.04.2016 and the PDPA. Such requests will be processed in accordance with the internal rules of AmRest in accordance with Regulation (EU) 2016/679 of 27.04.2016 and the PDPA.

AmRest respects and takes due care to respect the rights of the data subjects but there may be cases where the requested information cannot be provided, for example but not only:

  1. when the law overrides the rights of the data subjects;
  2. where it poses a risk to the security of the data subjects;
  3. when it would interfere with the privacy of others or when it is commercially property.

If the Controller determines that the access must be limited, in any case AmRest will make the necessary efforts and to inform you about the reasons for the restriction of the access to the information requested by you and will provide contacts for further inquiries.

If necessary, the AmRest Personal Data Protection Officer will contact another person who will cooperate and complete the process of submitting the data you have requested. In order to protect your data, the Controller will take the necessary steps to verify your identity before providing access to or before making any changes to your data.

10. Data integrity – limitation of the purposes

AmRest processes the personal data submitted while you use the websites or as long as it is necessary to complete the purpose(s) for which they are collected, for example but not only: to complete the provided services, to resolve disputes, for legal defense, to perform audits, in case of legitimate business interests, for execution of contracts and for compliance with the applicable laws. Your consent to these purposes is not necessary.

11. Further exchange

AmRest does not disclose personal data to third parties unless a client or a potential employee requests or agrees to such disclosure, or unless the disclosure is required by law. The Controller may exchange personal data with service providers, consultants and affiliates for internal or business purposes or to deliver you the product or service you have requested.

Payment information is processed only for execution of orders and may be stored by our service providers for future ordering purposes or for accounting purposes.

The Controller requires its providers or other personal data processors to provide a written confidentiality agreement and to protect the personal data processed on behalf of the Controller, including providing at least the minimum level of protection required by the principles of the Regulation (EU) 2016/679 of 27.04.2016. The data is not used for any purpose other than those specified by the Controller. The providers must notify the Controller if they have determined that they can no longer fulfill their obligations. With regard to further transfers of data provided to third parties, the Controller supervises the personal data processing by requesting a guarantee from the processor for compliance with the principles of Regulation (EU) 2016/679 of 27.04.2016.

Your personal information is treated as an asset of the company and may be disclosed or transferred to third parties in case of change in the organizational structure of AmRest, for example in case of reorganization, sale, merger, division, joint venture, transfer, uniting or other the type of acquisition, disposal or financing of all or part of our business or of any of the commercial assets or shares (including in relation to bankruptcy or similar proceedings). In these cases, your data is transferred to third parties to enable you to continue to receive the same products and services or to maintain the same relationships with the third party.

Although we make every effort to maintain the confidentiality of our personal data, AmRest reserves the right to disclose personal data to third parties in certain limited circumstances, which include:

  1. compliance with a law, search warrant, subpoena, legal proceedings, judicial or administrative orders;
  2. response to a legal requirement by public authorities, including compliance with the national security requirements or compliance with law enforcement requirements;
  3. implementation of the Controller's policies or contracts;
  4. collection of due amounts;
  5. protecting the users of the websites from fraud or abuse;
  6. during emergencies where the security is at risk, as determined by the Controller;
  7. where needed for the establishment of, exercise of or defense against legal claims.

At the discretion of the Controller, the server logs can be reviewed for security purposes, for example to detect unauthorized activity on the websites. In these cases, the server data containing IP addresses will be shared with law enforcement bodies to identify users in connection with their investigation of unauthorized activities.

12. Security

While there is no „guaranteed security”, we and our partners use commercially acceptable measures (including all steps required by the applicable law) designed to protect your personal information from loss, unauthorized access, use, modification, disclosure or other misuse.

13. Data subjects' rights

You may lodge a complaint at your Supervisory body – for Bulgaria this is the Personal Data Protection Commission at the addresses given in this Policy. AmRest will fully comply with the recommendations made by the Supervisory body and will take the necessary steps to remedy any non-compliance with the regulatory principles.

Personal Data Protection Commission,

address: 1592 Sofia, 2 Professor 2 Tsvetan Lazarov Blvd.;

Website: www.cpdp.bg.

You have the right to lodge a complaint at the personal data protection supervisory body:

Your legal rights are:

  • Request information whether we are processing your personal data, what that data are and for what purpose they are processed.
  • To request access to your personal data („Application for access to data”). It allows you to obtain a copy of the personal data held by us and to verify that we process it in accordance with the established legal procedure.
  • To request rectification of your personal data. You can rectify any personal data stored by us if it is inaccurate or incomplete.
  • To request erasure of your personal data. It allows you to request that we erased or deleted personal data if:
  • the data are no longer necessary about the purposes for which they were collected or otherwise processed;
  • you have withdrawn the consent on which the processing is based and where there is no other legal ground for the processing;
  • the data subject objects to the processing, including profiling and there are no overriding legitimate grounds for the processing or the data subject objects to the processing of personal data for direct marketing;
  • the personal data have been unlawfully processed;
  • the personal data must be erased in order to comply with a legal obligation under the EU of the Bulgarian legislation;
  • the personal data have been collected about the offer of information society services.
  • To object against certain types of processing, such as for direct marketing (unsolicited advertising messages), as well as when the processing is based solely on a legal interest of the Controller.
  • To object against automatic decision-making, including profiling, i.e. not to be subject to any automated decision-making by us with the help of your personal data or profiling.
  • To request restriction of the processing of your personal data, where:
  • the accuracy of the personal data is contested by you for a period enabling the Controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the Controller no longer needs the personal data for the purposes of the processing but the data subject requires the data to establish, exercise or defend a legal claim;
  • the data subject has objected to processing based on the legitimate interest of the Controller and verification whether the legitimate grounds of the controller override those of the data subject is being carried out.
  • To request transfer of your personal data electronically and in a structured format to you or to another person (generally known as a “data portability” right). This allows you to receive your data from us in a convenient electronic format and to transfer it to another person in a convenient electronic format.
  • To withdraw your consent, In the rare cases where you may have given consent to collection, processing and transfer of personal data for a particular purpose, you may at any time withdraw your consent to that particular type of processing. Once we have been notified that your consent has been withdrawn, we will stop processing your information for the initial purposes, unless there are other legitimate grounds.

The request can be made by filling out a form and sending it to the e-mail address of the Data Protection Officer or to AmRest.

To be sure that we have identified the right person, we may contact you to confirm your request.

AmRest undertakes to review your request without undue delay and in any case within 30 days from the receiving of the request. In cases of legal and factual complexity, this period may be extended by another 30 days. You do not have to pay a fee to exercise the above rights. A fee may be charged when a request is manifestly unfounded or excessive and if it is repetitive.

In order to provide complete, accurate and clear information, we may ask you for specific, identifying data to help us verify your identity. This is an additional security measure to ensure that your personal data will not be disclosed to persons who are not entitled to receive it.

14. Information concerning children

We do not knowingly collect personal data from children under the age of 16. If we learn that we have collected personal data from a child under the age of 16, we will take steps to delete these data as soon as possible or to obtain the consent of the person in charge of the child.

If you are the parent or legal representative of a child who you think has provided us personal data, please contact our Data Protection Officer and he will take immediate actions to erase the information in accordance with applicable law.

15. Links to websites of third parties

Please be aware that the Website may contain links to other websites for your convenience and information. The Controller does not control the sites external to the Company or their privacy practices. Please be aware that they may differ from those set out in this Policy. AmRest does not approve or make any statements regarding third party websites. The personal data you choose to provide to non-affiliated websites is not covered by this Policy. We encourage you to review the privacy policies of other websites before providing your personal data. Some third parties may choose to exchange their users' personal data with us. This exchange is governed by the privacy policy of the company and not by this Policy.

16. Changes in the Privacy policy

The controller may update this Privacy policy. In case of change of the Policy, we will update the date of the „last revision” located at the header of the Policy.

If there are any changes of this Policy, we will inform you about them. We encourage you to read our Privacy policy in order to be informed how we protect the information provided by you.

If you continue to use the Website after the publication or the amendment of the Policy, this will be considered your consent, bounding by it and any such changes thereto.

Any change to this Privacy policy will be effective immediately upon its publishing.

17. Other relevant policies

This Policy may be supplemented by one or more privacy statements or terms of use (each of which is a „Specific policy”). In case of discrepancies between this Policy and any Specific Policy, the applicable specific policy applicable shall prevail.

This Policy is considered effective from November 2023.