Last updated 27 April 2022
The Starbucks name and reputation were built on a foundation of trust. This Starbucks privacy notice (“Notice”) describes how Coffee Concepts Retail Co., Ltd. and its parent and other affiliated companies (“Starbucks”, “we” or “us”) collect, use and disclose (“process”) your personal data through our websites and online services, including https://www.starbucks.co.th and other Starbucks owned or operated websites, mobile applications, and online services that link to this Notice (collectively, the “Sites”), through our programs and in our physical stores (“Services”) and through services provided by you and contracts entered into with you. The purpose of this Notice is to let you know which personal data we collect about you, the reasons why we process such data, how long we keep it and what your rights are and how you can exercise them. This Notice does not apply to websites and services that display or link to different privacy statements. Websites and services co-branded with other partners may display or link to a joint privacy statement or separate privacy statements of our partners in addition to our Notice. Without limiting the generality of the foregoing, Starbucks may transmit your information outside of Thailand in the manner and for the purposes described in this Notice.
References in this Notice to “you” or “your” are references to individuals whose data is processed by us or on our behalf in connection with our activities or as transaction counterparties or litigants in legal proceedings involving us. Please see further information in section “Who Is Concerned by This Notice and From Whom Do We Collect Personal Data?” below.
What Types of Information Does Starbucks Process?
Depending on the type of products or Services we offer or provide, personal data which identifies you, either directly or indirectly, as an individual (“Personal Data”) that may be processed by Starbucks may include:
- identity data – your first name, last name, nickname, specimen signature, date of birth, gender and information in your household registration, identification (ID) card or passport which contains citizen ID card or passport number, nationality and photograph;
- contact data – private or professional such as your job position, employer, address and e-mail address, phone number and social media account;
- tax and financial data – your tax ID, credit card number, bank account details and other payment information;
- transactions, benefits and preferences data – your marketing and communication preferences, your rewards and benefits under Starbucks Card and purchase history;
- communication data – your comment, request or complaint on Starbucks’ product or Service, recorded phone conversation, chat logs,
- CCTV data – closed-circuit television (“CCTV”) footages that are installed at our head office and our physical stores;
- geolocation data – we may collect information about the location of your device, such as information that identifies your device’s precise location (for example, GPS latitude and longitude level) or its approximate location (e.g., less precise location estimated based on a browser or device’s IP address)
- technical data – your internet protocol (IP) address, technical specifications and login credentials used to connect to Starbucks’ website and apps.
- criminal offence data – your criminal record on the criminal convictions and offences;
- health data – your physical and mental health status (e.g. a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state);
In addition to your Personal Data, you may also in some instances provide us with information about other people, such as name, phone number and email address, including when you participate in our marketing campaign and direct us to send someone a reward. Please see further information in section “Who Is Concerned by This Notice and From Whom Do We Collect Personal Data?” below.
We will not ask for any other sensitive personal data such as data related to your racial or ethnic origins, religious or philosophical beliefs, labour union membership, political opinion, genetic data, biometric data or data concerning your sex life or sexual orientation, unless it is necessary for our operation (including provision of Services to you) and we have a lawful basis to do so. Please note that before our processing, we may permanently mask, remove, black out or hide any of your information which is considered sensitive personal data and not necessary for our operation, and in no intention to alter, fabricate or forge the document or information received from you.
Starbucks may also collect aggregated data or anonymized data that does not directly identify you.
We may combine information we collect about you with information we receive from third parties.
In some instances, Starbucks may combine other information with Personal Data. If other information is combined with Personal Data or if other information is used to identify an individual, such information will be treated by us as Personal Data.
Who Is Concerned by This Notice and From Whom Do We Collect Personal Data?
We collect data directly from you as: (i) our customer; (ii) third party service provider (such as contractor, supplier, marketing agency, law firm, broker, insurance company or vendor); (iii) creditor or debtor; (iv) landlord (persons in (ii), (iii) and (iv) are collectively referred to as the “Counterparties”); or (iv) regulator. We may also indirectly collect personal data about other individuals from you whereas they have no direct relationship with us but are related to our customer and Counterparties, such as for instance the following persons of our customer and Counterparties:
- legal representative;
- contract staff;
- parent or legal guardian;
- relevant parties in transactions with our corporate customers; and
- campaign participant (your friend, family member or whoever benefits from participating in our campaign).
When you provide us with third party personal data like the examples listed above, please remember to inform the individuals providing the data that we process their personal data and direct them to our present Notice.
We may also obtain personal data from:
- third parties such as regulator or Royal Thai Police for investigation purpose;
- websites/social media pages of legal entities or professional customers or those containing information made public by you (e.g. your own website or social media); and
- public information such as information from the press.
If You Fail to Provide Your Personal Data
Where we are required by law to process your Personal Data or need to process your Personal Data under the terms of a contract we have with you (or take steps at your request before entering into a contract) and you fail to provide your Personal Data when requested, we may not be able to perform obligation under the contract we have with you or plan to enter into with you. In this case, we may have to decline to provide the relevant services, but we will notify you if this is the case.
How Does Starbucks Process Information About You?
We may process your Personal Data insofar as there is a lawful basis for conducting such activities. We collect, use or disclose your Personal Data under the following circumstances:
- To perform a contract with you or to take steps at your request before entering into a contract
- process your purchases of, or requests for, products and Services;
- register and verify user accounts;
- Provide benefit to members of Starbucks Rewards loyalty program;
- Provide rewards to participants of the marketing campaign;
- Perform Starbucks’ daily operation with you (e.g. process with Counterparties account opening, make purchase order, process store rental payments, process with payment to the existing Counterparties, verify authorisation of the authorised signatory(ies) and collect as supporting evidences for entering into a contract);
- Respond to your customer service inquiries, cope with your complaints and requests or take other actions in response to your inquiries; and
- Communicate with you about our Sites or Services or performance of our obligations under contract with you or vice versa.
- To comply with our various legal and regulatory obligations
- Cooperate, communicate with relevant authorities and respond to lawful authorities’ order, as needed; and
- Comply with legal and regulatory obligations which we are subject to.
- To fulfil our legitimate interest
- Performance of a contract with our corporate customers or corporate Service Providers or to take steps at our corporate customers or corporate Counterparties request before entering into a contract including to:
- cope with customers complaints and requests;
- improve Starbucks’ products or Services;
- perform Starbucks’ daily operations with Counterparties (e.g. process with Counterparties account opening, make purchase order, process store rental payments, process with payment to the existing Counterparties and collect as supporting evidences for entering into a contract.); and
- communicate with corporate customers and corporate Counterparties for Starbucks to provide or to receive Service, product or perform our obligations under contract or vice versa.
- Research, development, and improvement of our Services to help with the improvement of our existing products and Services and the development of new products and Services so that we meet and exceed your needs and expectations;
- Quality control of Services;
- Advertise news, promotional campaign, products or Services that are similar to the ones offered to members of Starbucks Rewards loyalty program;
- Conduct analytics for the marketing of our own products or Services for products and Services improvement; and
- Issue tax invoice per your request.
- Security reasons (e.g. record of CCTV footage will be used for detection and prevention of crime; detection and prevention of safety incidents; detection and prevention of unauthorised access to Starbucks’ premises and restricted areas; detection and prevention of gross misconduct; supporting safety, security and internal investigations; supporting criminal investigations; and for reviewing security & safety incidents, including security training exercises).
- More generally including to:
- verify the data or information provided to us by any corporate customer or third party for other purposes as well as your identity, authorisation or capacity to represent your entity which is our corporate customer or other Counterparties in entering into a contract with us;
- comply with Starbucks’ internal policy, procedure, standard or administration;
- process with insurance company to assess damages and remedies in case of customer complaints;
- seek advice from external law firm or other third party service provider; and
- establish, exercise or defend a legal claim.
In any case, where relying on legitimate interest, we ensure the processing remains proportionate and that your interests or fundamental rights are preserved.
- To respect your choice if we requested your consent for a specific processing
- Process with criminal record and health information for security and health and control purposes to comply with our security procedure; and
- Offer a variety of products or Services that may not be similar to the products or Services we have offered to you but should match your interests by creating personalized promotions and communicate with you about our brands, products, Services or events as a result of such personalized marketing including co-branded offers and affiliate and partner offers .
For certain types of Personal Data processing, we will provide you with specific information and invite you to consent such processing. Note that you may request to revoke your consent at any time, please refer to section “What Are Your Statutory Rights and What Choices Does Starbucks Offer About Personal Data?” below.
Does Starbucks Share Personal Data with Third Parties?
We share your Personal Data in limited ways:
- We may share your Personal Data within Starbucks for the purposes for which we collected the Personal Data, as described above;
- We may share your Personal Data with companies that provide us with support services (such as credit card processing, other payment services providers, website hosting, email and postal delivery, outsourced customer services providers, insurance companies, external law firms, import custom clearance services providers, mailing houses or website hosts and data management services providers) and that help us market our products and Services (such as email vendors or marketing agencies). These companies may use your Personal Data to perform their functions on our behalf;
- If you participate in any blog or other online forum on our Sites, any Personal Data that you post on our Sites may be shared with other forum participants and Site visitors;
- In the event of a merger, acquisition, financing, or sale of assets or any other situation involving the transfer of some or all of our business assets, we may disclose your Personal Data to those involved in the negotiation or transfer. If a change happens to our business, the part of our business that is (as the case may be) sold, acquired or merged, such entity may process your Personal Data in the same way as set out in this Notice;
- We may share your Personal Data with any other person who is under a duty of confidentiality to us; and
- We may share your information in a way that does not directly identify you (e.g. anonymized data or aggregated data) for statistical analysis and other business purposes.
Do We Transfer Your Personal Data Outside Thailand?
We may transfer your Personal Data to the countries outside of Thailand to our parent and other affiliated companies and our third party service providers as part of our normal business operations to perform our Services (e.g. our IT service provider).
In case of international transfers originating from Thailand to another country, the transfer of your Personal Data may take place where the Thailand Personal Data Protection Committee has recognised such country as providing an adequate level of data protection, your Personal Data may be transferred on this basis.
For transfers to the countries where the level of protection has not been recognised as adequate by the Thailand Personal Data Protection Committee, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you) or implement one of the following safeguards to ensure the protection of your Personal Data:
- Standard contractual clauses;
- Binding corporate rules approved by the Office of Thailand Personal Data Protection Committee.
How Long We Retain Your Personal Data?
Your Personal Data processed for the purposes hereunder will be stored only to the extent necessary during the term of your participation in the Services with us, for the period necessary to fulfil the purposes outlined in this, including during a transition period (e.g. for the compliance of our obligations regarding data retention as established in applicable laws), or responding to legal claims or regulatory requests (if any).
In principle we will retain your Personal Data as long as required or permitted by applicable law. For instance, most of our customer’s and/or Counterparties’ data is kept for the duration of the contractual relationship and 10 years after the end of the contractual relationship, in accordance with general statute of limitation under Thai law.
When Personal Data is no longer needed, or in any event, after legal authority to retain it has expired, we will remove your Personal Data from our systems and records and/or take steps to properly anonymize it.
What Are Your Statutory Rights and What Choices Does Starbucks Offer About Personal Data?
We believe in putting you in control of your Personal Data. You have the following rights under the conditions set out under applicable law and regulations pursuant to the conditions and requirements set forth thereunder
Right of access: You have the right to obtain from us the access to your Personal Data under our responsibility, or request that we disclose how your Personal Data is obtained without your consent. You have the right to obtain a copy of the processing of your Personal Data. For additional copies requested by you, we may charge a reasonable fee based on administrative costs as permitted by Personal Data Protection Act B.E. 2562 (2019).
Right to rectification: You have the right to obtain from us the rectification of your inaccurate or incomplete Personal Data to be accurate, up to date, completed, and not misleading.
Right to erasure: You have the right to ask us to erase, destroy or anonymize your Personal Data, to the extent permitted by law. Note that this is not a blanket right to require all your Personal Data to be deleted. We will consider each request carefully in accordance with the requirements of any laws relating to the processing of your Personal Data.
Right to data portability: You have the right to receive your Personal Data which you have provided to us, unless it is impossible by technical circumstances. You also have the right to request us, where technically feasible, to directly send or transfer your Personal Data in such formats to other data controller if it can be done by the automatic mean.
Right to object: You have the right to object to collection, use or disclosure of Personal Data, on grounds relating to your particular situation., in accordance with the statutory provisions. If you file an objection, we will continue to collect, use, or disclose your Personal Data only if we can document legitimate reasons that outweigh your interests, rights, and freedoms, or if collection, use or disclosure is for the assertion, exercise or defence of legal claims or scientific, historical research or statistical, as may be applicable.
Right to withdraw consent: If you have consented to collection, use or disclosure of your Personal Data by us, you have the right to withdraw your consent at any time.
Right to file a complaint: You have the right to file a complaint with the responsible data protection supervisory authority, in the case where, in your view, we, our Staff or service providers violate or fail to comply with the Personal Data Protection Act B.E. 2562 (2019) or notifications issued thereunder.
Starbucks offers choices for you to request to update or change your Personal Data and how we communicate with you. Follow the opt-out instructions in promotional emails we send you.
If you opt out of receiving promotional communications from us, we may still send you non-promotional communications such as emails about your accounts or our ongoing business relations.
You can usually choose to set your browser to warn you when a cookie is being sent or to remove or reject cookies. Each browser is a little different, so look at your browser “Help” menu to learn the correct way to modify your cookie settings. If you choose to remove or reject cookies, it will affect many features or Services on our Sites.
If you wish to exercise the rights listed above, please submit a data subject request form which is available here
- Data Subject Request form of Starbucks® Rewards Member (Click here)
- Data Subject Request form (Click here)
We may need to request specific information from you to help us confirm your identity and ensure your right to access your information (or to exercise any of your other rights). This is a security measure to ensure that your information is not disclosed to any person who has no right to receive it. Please include a scan/copy of your proof of identity for identification purpose when required.
You will not have to pay a fee to access your information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint where, in your view, we or our Staffs violate or fail to comply with the Personal Data Protection Act B.E. 2562 (2019) or notifications issued thereunder, with the Personal Data Protection Committee.
We try to respond to all legitimate requests within 30 days. Occasionally it may take us longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
What If I Am A Minor?
We welcome everyone to become our valued customer and to become part of our Starbucks’ community, However, if you are under the age of 20, an additional consent from your legal guardian is required prior to using our Services or having any interactions with us by any means.
How is Personal Data Secured?
Starbucks takes reasonable steps to maintain appropriate physical, technical and administrative security to help prevent loss, misuse, unauthorized access, disclosure or modification of Personal Data.
While we take these reasonable efforts to safeguard your Personal Data, no system or transmission of data over the Internet or any other public network can be guaranteed to be absolutely secure. You are responsible for protecting your password(s) and maintaining the security of your devices.
Privacy Notice Updates
Notice went into effect on date at the top of this page. We may update this Notice from time to time.
We will notify you of any material changes through our Site or through our other usual communication channels that might affect the way we collect, use or disclose your Personal Data. We encourage you to look for updates and changes to this Notice by checking the date of our Notice when you visit our Sites.
We welcome your questions, comments and concerns relating to our processing of your Personal Data under this Notice. You may contact us by email at firstname.lastname@example.org, or by phone at 02-339-0996.
Coffee Concepts Retail Co.,Ltd.
12th, 16th floors, Exchange Tower, 388 Sukhumvit Road, Klongtoey, Bangkok 10110 Thailand