Costa Digital Library Website Privacy Policy

Costa Limited ("Costa", "We", "Us") is a controller of your personal data. We respect your data and your privacy is important to us.

This Privacy Notice explains what personal data we collect and how it is used. This notice also explains what rights you have over your personal data and how you can use those rights.

You have the right to object to some of the processing which Costa carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.

Costa Limited’s registered office is Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG.



Summary of how we use your data and your rights
Information we collect from you
How we use information and the legal basis
Data sharing
International transfers
Other websites
Surveys
Data retention
Your rights
Contact details



  1. Summary of how we use your data and your rights
  2. We use your data to register you online, administering membership records, provide and improve our products and services, including for marketing, research, feedback and enquiries, and for safety and security purposes. From time to time, we may ask you for data of a sensitive personal nature, such as data relating to your dietary preferences and details about your personal health in relation to a specific event or activity. By providing us with such information, you consent to the processing of such sensitive data.

    We will use your data to comply with laws and regulations and to prevent and detect crime, such as fraud.

    You have the right to object to some of the processing Costa carries out. More information about your rights and how to exercise these is set out in the "Your rights" section of this notice.

    When you give consent, you are able to withdraw that consent at any time, for instance by emailing help@costaresourcecentre.com. You can also email help@costaresourcecentre.com to exercise any other data rights, such as obtaining a copy of your data, correcting, deleting or restricting how we use your data. Please see “Your rights” for more information.

    Our websites and app use cookies and similar technologies to improve functionality, recognise you and to customise your experience. You can reject and block cookies in your browser settings. Please see our Cookie Notice for more information.

    Costa is part of the Coca Cola group of companies, for details of how personal data is shared with the Coca Cola group, please see the "Data sharing" section below.



  3. Information we collect from you
  4. We collect information from visitors to this website through the use of online forms (for example registration form and order request form) or corresponding with us.

    In particular:

    • We keep information you give us directly such as contact details (including name, email, address and telephone number), comments.,
    • Via our website, cookies (cookie policy) and similar technologies will capture your IP address, your location, and record how you use the site or app to help improve it and improve your user experience, where your browser settings or permission allows for this.
    • If you post information online about us or provide feedback, we keep a record.
    • If you contact us directly and complain or give feedback, we will record details and all related information (including that you provide to us) such as emails.



  5. How we use information and the legal basis
  6. We are allowed to use your data only if we have a proper reason to do so such as:

    • To fulfil a contract we have with you;
    • When it is in our legitimate interest;
    • When you consent to it; or
    • To comply with the law.

    A legitimate interest is when we have a business or commercial reason to use your data. This involves us making an assessment of when we can rely on our legitimate interests. For more information on this assessment please contact costadpo@costacoffee.com.

    We have set out below how and why we use your personal information and the legal basis we rely on. This is also where we tell you what our legitimate interests are.

    To run our business and pursue our legitimate interests, we use your information.

    Our legitimate interests include keeping our records up to date, fulfilling our legal, compliance and contractual duties and improving our site and apps, and services.

    We keep records to comply with health and safety legislation, including accounting for the number of individuals on our premises and logging accidents.



  7. Data sharing
  8. We will only share personal information to other companies within our group of companies and to any successors in title to our business and to suppliers we engage to process data on our behalf but only for the purposes described in this Privacy Policy.

    We will not share your personal information with any other third parties, though we reserve the right to disclose your personal information to government bodies and law enforcement agencies (once we are reasonably satisfied as to the circumstances surrounding the request), to third party companies to help us operate our systems properly and to protect our users and ourselves.

    We may also use and disclose information on individuals and in aggregate for marketing and strategic development purposes.



  9. International transfers
  10. Sometimes we send or store your data outside of the European Economic Area (the EU plus Iceland, Lichtenstein and Norway) (‘EEA’). For example, to follow your instructions, comply with a legal duty or to work with or receive services from our service providers who we use to help run our services.

    If we do transfer information outside of the EEA, we will make sure that it is protected by using one of these safeguards:

    • Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. Some countries have been deemed adequate by the EU.
    • Put in place a contract with the recipient that means they must protect it to the same standards as the EEA or use other mechanisms and measures to achieve adequate protection. We also may use the Standard Contractual Clauses published by the EU.
    • Transfer it to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA.
    • Binding corporate rules. These are internal rules adopted by group companies to allow international transfers of personal data to entities within the same corporate group located in countries which do not provide an adequate level of protection.

    For our service provider in India, who has restricted access to some data to provide us with IT support and maintenance services, we rely on contractual measures. For further details on the mechanisms used please contact costadpo@costacoffee.com.



  11. Other websites
  12. Our website may contain links to other websites which are outside our control and are not covered by this Privacy Policy. If you access other sites using the links provided, the operators of these sites may collect personal information from you which will be used by them in accordance with their respective privacy policies, which may differ from ours. We are not responsible for the privacy or data collection practices of these websites and we would encourage you to read all applicable terms, conditions and privacy statements when accessing these websites.



  13. Surveys
  14. We are always looking to improve the products and services that we offer. To do this, we may from time to time contact you to solicit your opinions and views. Your participation in these surveys is wholly voluntary. Should you choose to participate, you may rest assured that we will treat any personal information that you provide to us with the same standards as all other personal information.



  15. Data retention
  16. We keep your data in line with our data retention policy to enable us to fulfil our contract with you or to provide services, whilst you are an active user of our site, where required by law or to protect legal rights.

    We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.

    You can request a copy of the data retention policy from the data protection office, contact details are at the end of this policy.



  17. Your rights
  18. You have rights over your personal data. You can:

    • ask for a copy of your information;
    • ask for information to be corrected;
    • ask for information to be erased or deleted;
    • ask for us to limit or restrict processing;
    • object to us processing your data, in particular, where we do not have to process the data to meet a contractual or other legal requirement and in relation to processing for direct marketing purposes, including profiling for direct marketing purposes;
    • ask us to send you a copy in a structured digital format or ask for us to send it to another party.

    Some rights, however, may be limited. We may be obliged by law or regulation to keep information. We must respect other people’s privacy as well, which means we may need to redact or remove information where it includes personal data about someone else, even if it is connected to your data. On occasion there may be a compelling legitimate interest to keep processing data.

    If you want a copy of your data, to object to how we use your data, or ask us to delete it or restrict how we use it or, please see "Contact details" below. To process a request from you, we may need to confirm your identity to ensure we’re accessing the right data.

    You have a right to complain to an EU data protection authority. This can be where you live, work or where the matter occurred. In the UK, the authority is the Information Commissioner’s Office (the “ICO”), whose contact details are as follows:

    Email: https://ico.org.uk/make-a-complaint/ or Tel: 0303 123 1113



  19. Contact details
  20. To exercise any of your rights or to withdraw consent you can email: consumercontact@costa.co.uk

    Or write to them at: Costa Limited, Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG.

    For any queries relating to data protection, please contact Costa's Data Protection Officer by:

    Email: costadpo@costacoffee.com

    Or write to them at: Data Protection Officer, Costa Limited, Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG.

    We may change or update this notice from time to time. Should this happen, we will detail the changes on this web page. Please check here regularly for any updates to this Privacy Policy.

Loading Icon