Last Revised: 23 September 2020
Gapurna Permai Sdn Bhd ("Costa", "We", "Us") is the controller and data user of your personal data. We respect your data and your privacy is important to us.
This notice also explains what rights you have over your personal data and how you can use those rights.
An overview of how we use your data is here.
We use your data to provide and improve our products and services, including for marketing, research, feedback and enquiries, and for safety and security purposes, in compliance with the requirements of the Malaysian Personal Data Protection Act (“PDPA”) 2010. We also use your data when you enter competitions or awards that we organise.
We will use your data to comply with laws and regulations. We use your data to prevent and detect crime, such as fraud.
You have the right to object to some of the processing Costa carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.
You are able to withdraw your consent at any time by emailing firstname.lastname@example.org. You can also email email@example.com to exercise any other data rights, such as obtaining a copy of your data, correcting, deleting or restricting how we use your data. Please see “Your rights” for more data.
You can unsubscribe from marketing communications at any time. To opt out of direct marketing, including profiling for direct marketing purposes, you can either adjust the preference settings, or select “unsubscribe” in emails, or email firstname.lastname@example.org.
If you enable location services on the app, or you access the location finder on our sites and your browser settings allow this, your device will identify and alert you to the nearest Costa Store to your location.
We collect data when you purchase something or use our services or enter our competitions or awards. This includes store visits, using our Platforms, or corresponding with us.
We receive your data from other people in certain circumstances. This can happen when:
Costa may use data about you or others that you have provided on your own volition for purposes described in this Policy or disclosed to you on our Platforms or with our Services. For example, we may use data about you or others that you provided to:
If you give us consent, we:
When you give consent, you are able to withdraw that consent at any time by contacting us, for instance by emailing email@example.com. If you do so we can only continue to use your data if another legal basis applies, such as when we’re required to do something by law.
Nevertheless, you have an absolute right to opt-out of direct marketing, including profiling for direct marketing purposes, at any time. You can opt out of marketing by selecting “unsubscribe” in emails or by adjusting the preference settings on your account or by emailing firstname.lastname@example.org.
When the law requires us to process your data we will do so. This can include:
For some activities Costa uses third party service providers, for instance provision of WiFi in our stores. When these service providers need customer data from you, we share data with them, such as if a delivery partner needs data such as your name, contact details, address, and the items you have purchased for delivery of your purchase, to manage any complaints and other relevant purpose.
We use third party providers for the following services:
We may share data with our group of companies, parent company, subsidiaries and other affiliated companies.
If our business is to be integrated with another business or sold, your details would be shared with our advisers and any prospective purchaser’s advisers. Your data could be passed to the new owners. (You will be notified if this happens).
Personal data may be shared with government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim.
We may combine data we collect about you with data we receive from third parties.
We keep your data to enable us to fulfil our contract with you or to provide services, to enable us to facilitate the provision of products and services purchased from us ,whilst you are an active user of our site or app, to administer and promote our awards and competitions or where required by law or to protect legal rights.
We always look to keep your data for the minimum time in line with data protection principles and our processes. For example, we keep:
If you unsubscribe from marketing communications we keep a record of this request indefinitely to ensure we do not send you direct marketing again.
We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.
You have rights over your personal data.
Some rights, however, may be limited. We may be obliged by law or regulation to keep data. We must respect other people’s privacy as well, which means we may need to redact or remove data where it includes personal data about someone else, even if it is connected to your data. On occasion there may be a compelling legitimate interest to keep processing data. If you want a copy of your data, to object to how we use your data, or ask us to delete it or restrict how we use it or, please see ‘Contact details’ below. To process a request from you, we may need to confirm your identity to ensure we’re accessing the right data.
We take reasonable steps to maintain appropriate physical, technical and administrative security to help prevent loss, misuse, unauthorized access, disclosure or modification of personal data.
While we take these reasonable efforts to safeguard your personal data and information of others that you provided, no system of transmission of data over the internet or any other public network can be guaranteed to be 100% secure.
To discuss or change your personal details, including preference settings, you can click on “Profile” and edit your details from there; or you can contact customer services at email@example.com.
For any queries relating to data protection, please contact Costa's Data Protection Officer by email at firstname.lastname@example.org or write to them at Gapurna Permai Sdn Bhd, 42-2, Jalan Medan Setia 2, Plaza Damansara, Bukit Damansara,50490 Kuala Lumpur.
We may change or update this notice from time to time. We will communicate these as appropriate – for example, by updating our website or, where legally required, by actively telling you about the changes.
The controller for your data is Gapurna Permai Sdn Bhd, 42-2, Jalan Medan Setia 2, Plaza Damansara, Bukit Damansara,50490 Kuala Lumpur.
Some stores using the Costa brand are licensees of Costa International Limited but are not related to us. We are all committed to protecting your privacy but, just to be clear, each Costa franchisee/licensee is an independent business and is responsible for the operation of its own stores and Platforms and compliance with data protection law.