PRIVACY POLICY

 

Thank you for visiting our website.  Jacobs Douwe Egberts (“JDE”) is dedicated to protecting the privacy of those who visit our website. We ask that you read the policy below carefully.  

We may amend this Privacy Policy from time to time. Please refer to this Privacy Policy on a regular basis to be updated on our processing activities. 

  1. Data Controller 

JDE (Jacobs Douwe Egberts DE GmbH) (“WE”) is the Controller of your personal information, which means that we are responsible for how and why your personal information is being processed. 

This Privacy Policy sets out how and why we collect, store, process and share your personal data and applies to all the personal information we collect about you when you interact with us: 

  • by visiting our website;
  • subscribing to our newsletters;
  • by other forms of communication (includingcustomer service,social media platforms). 

 

  1. Collection and use of your personal data  

In the following section, you will find information on how we collect your personal data, for which purposes we process your data, on which legal basis we do so and for how long we retain your data.  

A legal basis for processing your data will arise when one or more of the following conditions apply:  

  • Consent: You have given us your consent to the use of your information which can be revoked at any time, Art. 6(1)(a) GDPR.
  • Contract:  You have/or are about to enter into an agreement with us and your information is needed to provide you with the requested products or services, Art. 6(1)(b) GDPR.
  • Legal obligation: We may be required to process your information in order to comply with certain legal obligations, Art. 6(1)(c) GDPR.
  • Legitimate interest: We might use your information because we have—or a third party has—a legitimate interest in doing so. This happens only in cases where wethink the way we are using your data doesn’t significantly impact your privacy or would be expected by you, or there is a compelling reason to do so, Art. 6(1)(f) GDPR.

 

  1. Retention Periods 

Unless otherwise specified in this policy, we will delete your personal data if they are no longer required for the relevant processing purposes and no legal retention obligations oppose deletion. 

 

  1. Data Usage 

When you visit our website, our web server temporarily evaluates usage data for statistical purposes in order to improve the quality of our website. This data includes the following: 

- the name and address of the requested content, 

- the date and time of the query, 

- the transferred data volume, 

- the access status (content transferred, content not found), 

- the description of the used web browser and operating system, 

- the referral link, which indicates from which page you reached ours, 

- the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established. 

The above-mentioned website log data will only be evaluated anonymously. 

 

  1. Cookies and tracking technologies 

JDE and our third-party partners use cookies and similar technologies like pixels, tags, web beacons (“cookies”) and other identifiers to provide you with the best possible service and optimize our website performance. These cookies may also help us remember your preferences, understand user interactions as well as to personalize our website and marketing communications.  

Please note that the use of third-party content and functions may result in your data being processed outside the EU or the EEA. In some countries, there is a risk that authorities may access the data for security and surveillance purposes without informing you or allowing you to take legal action. 

Where we use providers in third countries without an adequate level of protection and you give your consent, the transfer to this third country is based on Art. 49(1)(a) GDPR. 

 

Your Consent / Withdrawal of consent (“Opt In / Opt Out”).   

You may withdraw your consent to the placing of cookies or otherwise adjust your cookie settings at any time through our  . 

 

  1. Strictly Necessary Cookies 

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.  

These cookies usually do not store any personally identifiable information. In the exceptional case that these cookies allow a personal reference, the processing is based on legitimate interest.  

 

Cookie/ Provider 

 

Purpose 

Retention Period 

 

Adequate level of data 

protection 

Blueconic 

Consent Management Platform 

Data retained for 1,5 years - or – earlier if cookies are deleted from device or consent is withdrawn. 

Processing within EU/EEA 

One Trust  

Consent Management Platform 

Data retained for 1 year - or – earlier if cookies are deleted from device or consent is withdrawn. 

 

Processing within EU/EEA  

__RequestVerificationToken 

This is an anti-forgery cookie set by web applications built using ASP.NET MVC technologies.  

Session 

It holds no information about the user and is destroyed on closing the browser. 

ARRAffinity 

This cookie is set by websites run on the Windows Azure cloud platform. It is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session. 

Session 

Data stored in EU data centers. Adequate level of protection.  

  1. Functional Cookies 

 

These cookies allow our website to remember choices you make, enhance your experience and to improve response speed and efficiency by storing certain frequently-accessed information. For example, cookies to remember your display preferences (e.g., language, font size), the contents of your shopping basket, to render fonts and make a responsive website perfectly fitted for your device, or to remember a search term or a chosen filter you used.  You can choose not to allow some of these cookies; however, this may impact your experience of the site and the services we are able to offer. 

Functional cookies are placed on the basis of legitimate interest and can include the following purposes:  

  • authentication of users for a secured login; 
  • storing preferences such as language, location, the number of search results to be displayed etc.; 
  • storing settings for optimal video display, such as buffer size and your screen's resolution details; 
  • identifying misuse of our website and services, for example by recording several consecutive failed log-in attempts. 

 

Cookie/ Provider 

 

Purpose 

Retention Period 

 

Adequate level of data 

protection 

Amazon 

AWSALBCORS 

This cookie is managed by AWS and is used for load balancing. 

7 Days 

The AWSALB cookies are encrypted and do not contain any personally identifiable information. 

Amazon 

AWSALB 

AWS ELB application load balancer 

7 Days 

The AWSALB cookies are encrypted and do not contain any personally identifiable information. 

  1. Analytical  Cookies 

  

These cookies collect anonymous information about how you use the Website. We use these cookies for web analytics, which allow us to statistically monitor how people are using our website, to help us improve our online offerings as well as to test different design ideas for particular pages.  

We work with independent measurement and research companies to perform these services for us, so some of these cookies may be set by a third-party company.These third-party companies and related cookies are as stated in the table below. 

 

Third party Provider 

Tools 

Maximum retention period 

Adequate level of data protection 

Google Ireland Limited/ Google LLC (USA) 

Google Analytics 

26 months 

No adequate level of data protection. The data is transmitted on the basis of Art. 49 (1a) GDPR. 

 

  1. Advertising Cookies & Tracking Technologies  

These cookies may be set through our site by our advertising partners. They may be used by these partner companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. 

We also use cross-device tracking technologies to help us carry out marketing analytics, create custom audiences and show you targeted advertising on other websites based on your visit to our websites.   

The legal basis for this data processing is your consent in accordance with Art. 6 (1) 1a of the GDPR if you have given your consent via our consent banner.  

Your consent is voluntary and can be withdrawn at any time. 

How does tracking work? 

When you visit our websites, it is possible that the third-party providers listed below may retrieve identification characteristics of your browser or terminal device (e.g., a browser fingerprint), evaluate your IP address, save or extract identification characteristics on your terminal device (e.g., cookies) or gain access to individual tracking pixels. 

The individual characteristics can be used by these third parties to identify your terminal device on other websites. We may commission these third-party providers to show you advertisements based on the pages visited on our website. 

What does cross-device tracking mean? 

If you log on to the third-party provider with your user data, the respective identification characteristics of different browsers and end devices can be linked with each other. For example, if the third-party provider has created a unique identifier for each laptop, desktop personal computer, smartphone or tablet you use, these individual identifiers can be associated with each other as soon as you log in to a third-party service using your login credentials. This allows the third party to target our advertising campaigns across multiple devices. 

Which third-party providers do we use in this context? 

The third-party providers with whom we work for advertising purposes are listed below. If the data is processed outside the EU or EEA in this context, please note that there is a risk that local authorities may access the data for security and monitoring purposes without you being informed or having the right to appeal. Where we use providers in third countries without an adequate level of protection and you give your consent, the transfer to this third country is based on Art. 49(1)(a) GDPR. 

 

Third party Provider 

Tools 

Purpose 

Maximum retention period 

Adequate level of data protection 

Facebook (USA and/or Ireland) 

Facebook Custom Audience 

It allows us to track the actions people take on our websites to create audiences on Facebook to create target groups and to find new potential customers/lookalikes. 

The maximum amount of time that people will stay in a Custom Audience from your website or mobile app is 180 days. After 180 days, people who have been in the website Custom Audience will be removed unless they revisit the e.g., website or mobile app again. 

No adequate level of data protection. The data is transmitted on the basis of Art. 49 (1a) GDPR. 

 Google LLC (USA) 

DoubleClick Floodlight/ DoubleClick/ GA Audiences 

DoubleClick Floodlight allows us to track and report on conversions — the actions of users who visit our site after viewing or clicking on ads — and to report campaign effectiveness. 

 

DoubleClick allows us to optimize advertisements to onsite behavior, user characteristics and interests on digital ads. It helps to manage digital campaigns across websites and mobile devices. 

 

GA Audiences allows us to create audiences on Google Analytics for remarketing purposes and to reach people who were previously engaged with our products/services. 

IP addresses are anonymized after nine months and the data in cookies is anonymized after 18 months. At this point they are not used. 

No adequate level of data protection. The data is transmitted on the basis of Art. 49 (1a) GDPR. 

YouTube / Google (USA) 

CONSENT 

 

YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. 

IP addresses are anonymized after nine months and the data in cookies is anonymized after 18 months. At this point they are not used. 

No adequate level of data protection. The data is transmitted on the basis of Art. 49 (1a) GDPR. 

YouTube / Google (USA) 

VISITOR_INFO1_LIVE 

This cookie is used as a unique identifier to track viewing of videos. 

180 days 

No adequate level of data protection. The data is transmitted on the basis of Art. 49 (1a) GDPR. 

YouTube / Google (USA) 

YSC 

 

YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. 

Session 

No adequate level of data protection. The data is transmitted on the basis of Art. 49 (1a) GDPR. 

LinkedIn 

LinkedIn Pixel 

Personalized Advertising by Pink Squid Ltd 

2 years 

No adequate level of data protection. The data is transmitted on the basis of Art. 49 (1a) GDPR. 

 

  1. Embedded Videos 

On our websites, we embed videos that are not hosted on our servers. In order to ensure that accessing our websites containing embedded videos does not automatically lead to the download of third-party content, we only show locally hosted preview images of the videos as a first step. As a result, the third-party provider does not receive any information. 

Only after you click on the preview image, is content from the third-party provider downloaded. This provides the third party with information that you have accessed our site and with the usage data technically required for this purpose. Furthermore, the third-party provider is then able to implement tracking technologies. We have no influence on the further data processing by the third-party provider. By clicking on the preview image, you give us your consent to download content from the third-party provider. 

The embedding is based on your consent in accordance with Art. 6 (1) 1 a GDPR, provided that you have given your consent by clicking on the preview image. Please note that the embedding of many videos leads to your data being processed outside the EU or EEA. In some countries, there is a risk that authorities may access the data for security and surveillance purposes without informing you or allowing you to take legal action. Where we use providers in third countries without an adequate level of protection and you give your consent, the transfer to this third country is based on Art. 49(1)(a) GDPR. 

 

Third party 

Provider 

Adequate level of data protection 

Withdrawal of consent 

YouTube / Google (USA) 

No adequate level of data protection. The data is transmitted on the basis of Art. 49 (1a) GDPR. 

If you click on a preview image, the content of the third-party provider is immediately downloaded. 

To withdraw your consent, please click  to change your settings via our banner (Data processing by third parties). 

Vimeo (USA) 

No adequate level of data protection. The data is transmitted on the basis of Art. 49 (1a) GDPR. 

If you click on a preview image, the content of the third-party provider is immediately downloaded. 

To withdraw your consent, please click  to change your settings via our banner (Data processing by third parties). 

  1. Map Services 

On our web sites, we embed map services which are not stored on our servers. In order to prevent the automatic downloading of third-party content when you visit our web sites with embedded map services, we only show locally stored preview images of the maps as a first step. This does not provide the third-party provider with any information. 

Only after you click on the preview image, will third-party content be downloaded. This provides the third party with information that you have accessed our site and with the usage data technically required for this purpose. We have no influence on the further data processing by the third-party provider. 

By clicking on the preview image, you give us the consent to download contents of the third-party provider. 

The legal basis for the embedding processing is your consent according to Art. 6 (1) 1 a GDPR, provided that you have previously given your consent by clicking on the preview image.  

Please note that the embedding of some map services means that your data may be processed outside the EU or EEA. In some countries, there is a risk that authorities may access the data for security and surveillance purposes without informing you or allowing you to take legal action. Where we use providers in third countries without an adequate level of protection and you give your consent, the transfer to this third country is based on Art. 49(1)(a) GDPR. 

  1.  Contact Us  

You may contact us via our contact form on this website or via telephone.  

When you use our contact form, we will require you to provide the data marked as mandatory. 

We process the data that is necessary to answer your enquiry on the basis of Art. 6 (1) 1 b GDPR. Information that you voluntarily provide to us (data fields that are marked with a *) is processed on the basis of your consent in accordance with Art. 6 (1) 1 a GDPR. You declare this consent by sending the form.  

Your data will only be processed to answer your request. We will delete your data if they are no longer required and there are no legal obligations to retain them. 

When you contact our Customer Service by phone, we may collect audio recordings of your call, based on your explicit consent. We will also inform you about this in the corresponding telephone message. The data is used to respond to your customer service requests. Where calls are recorded, the data is used for training and customer care purposes.   

Where the processing of your data is based on legitimate interest in accordance with Art. 6 (1) 1 f GDPR, you have the right to object to that processing at any time. To do so, please use the email address provided in the imprint.  

In addition, you can withdraw any consent to the processing of your voluntarily provided information at any time. To do so, please use the email address provided in the imprint. 

The personal data processed by Customer Service is deleted 6 months after the resolution of the case for which it was collected. 

  1. Captcha  

To protect our web forms from automated requests, we use the system Google reCAPTCHA by Google LLC. Within the captcha function you may be asked to carry out a specific task or click on certain checkboxes. The user input required in this context and, if necessary, the mouse movements are used to determine whether the input comes from a person or an automated program. 

As the Captcha function is provided by a third party, displaying the captcha will cause third-party content to be downloaded. This provides the third party with information that you have accessed our site and with the usage data technically required for this purpose. We have no influence on the further data processing by the third-party provider. 

The legal basis for this data processing is your consent in accordance with Art. 6 (1) (a) GDPR. You declare your consent by using our web forms that are protected by reCAPTCHA. A corresponding indicator is displayed on these pages. 

Please note that the use of the Captcha function may result in your data being processed outside the EU or EEA. In some countries, there is a risk that authorities may access the data for security and surveillance purposes without informing you or allowing you to take legal action. Where we use providers in third countries without an adequate level of protection and you give your consent, the transfer to this third country is based on Art. 49(1) (a) GDPR. 

  1. Social Media Plugins  

We may enable the usage of social media plugins such as Facebook, Twitter, Instagram and YouTube on our website. However, for data protection reasons, we only integrate these social media plugins in a deactivated form. Therefore, when you visit our websites, no data is transmitted to social media services unless you activate the respective social plugin by clicking on the preview image or icon connected to the desired social media platform.  

If you click on a plugin, the social media platform receives information about your visit to our websites. This happens regardless of whether you have registered an account with the respective social media service. If you are logged in, the data can be directly assigned to your social media profile. They may also use this information to create user profiles based on your data and use them for the purpose of personalized advertising. 

JDE is not responsible for the privacy policies and/or practices of third parties. When activating or linking to another website or platform, you should read the privacy policy on that site or platform.  

The legal basis for this integration is your consent according to Art. 6 (1) 1 a GDPR, if you have given your consent by clicking on the preview image. Please note that the integration of many social plugins means that your data is processed outside the EU or EEA. In some countries, there is a risk that authorities may access the data for security and surveillance purposes without you being informed or having the right to appeal.  

If we use providers in third countries without an adequate level of protection and you give your consent, the transfer to this third country is based on Art. 49 (1) (a) GDPR. 

If you no longer wish your personal data to be processed by the activated social plugins, you can prevent future processing by not clicking on the preview image or icon of the respective Social Plugin. 

 

 

  1. Newsletter Registration and Delivery 

You may register to receive our newsletter on our website. Please note that we require certain data (your e-mail address at the minimum) to complete the newsletter registration.  

We will only send you the newsletter if you have given us your  consent in accordance with Art. 6 (1) 1 a GDPR. After you have completed the newsletter registration on our website, you will receive a confirmation e-mail at the e-mail address you provided (double opt-in).  

You may withdraw your consent at any time. An easy way to withdraw your consent is, for example, to use the unsubscribe link provided in every newsletter.  

Your data and your preferences are stored until you withdraw your consent. We delete your data 2 years from the date of data collection or the last contact (request for information or click on a link in an email). 

As part of the newsletter registration process, we store certain data in addition to the above-mentioned data, as far as it is necessary to prove that you have registered for our newsletter. This may include storing the complete IP address at the time of the registration or confirmation of the newsletter, as well as a copy of the confirmation mail sent by us.  

The legal basis for the data processing is our legitimate interest to be able to account for the legality of the newsletter delivery according to Art. 6 (1) 1 f GDPR. 

If you register for our newsletter, we may ask you to agree to further newsletter tracking as part of the registration process. 

If you give us the appropriate consent in accordance with Art. 6 (1) 1 a GDPR, we will include individual tracking technology in our newsletters, with which we can recognize when the newsletter sent to you was accessed or opened and individualize the links in the newsletter to determine when you clicked on which link. 

 

  1. Additional Data Transfers  

JDE will not share, sell, transfer or otherwise disseminate your Personal Data to third parties, unless required by law according to Art. 6(1)(c) GDPR, unless required for the purpose of your contract according to Art. 6(1)(b) GDPR, unless the third-party acts as a data processor on our behalf according to Art. 28 GDPR, as a Joint Controller according to Art GDPR or you have given us express consent to do so according to Art. 6(1)(a) GDPR. 

We may disclose your personal information to: 

  1. Our affiliates    
  2. External service providers such as consultants, advisors and auditors. We may also share your data with trusted service providers who support us in providing you with services such as IT services, marketing, finance, advertising, archiving and document storage. 
  3. Public or governmental authorities as required by applicable laws and regulations.

 

Where required, the appropriate data processing agreements and transfer mechanisms have been put in place. JDE is not responsible for the policies of the third-party providers. 

  1.  Data Security 

We take technical and organizational measures to protect your data as comprehensively as possible from unauthorized access. These measures include encryption procedures on our web pages. Your data is transferred from your computer to our server and vice versa via the internet using TLS encryption. 

You can recognize this by the lock symbol in the status bar of your browser and the address line beginning with https://. 

 

  1. Your rights as a data subject 

When processing your personal data, the GDPR grants you certain rights as a data subject: 

Right of access by the data subject (Art. 15 GDPR) 

You have the right to obtain confirmation as to whether personal data concerning you are being processed; if this is the case, you have the right to be informed of this personal data and to receive the information specified in Art. 15 GDPR. 

Right to rectification (Art. 16 GDPR) 

You have the right to rectification of inaccurate personal data concerning you and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement without delay. 

Right to erasure (Art. 17 GDPR) 

You have the right to obtain the erasure of personal data concerning you without undue delay if one of the reasons listed in Art. 17 GDPR applies. 

Right to restriction of processing (Art. 18 GDPR) 

You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR is met, e.g., if you have objected to the processing, for the duration of our examination. 

Right to data portability (Art. 20 GDPR) 

In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format, or to request that this data be transferred to a third party. 

Right to withdraw consent (Art. 7 GDPR) 

If the processing of data is based on your consent, you are entitled to withdraw your consent to the use of your personal data at any time in accordance with Art. 7 (3) GDPR. Please note that the withdrawal is only effective for the future. Processing that took place before the withdrawal is not affected. 

Right to object (Art. 21 GDPR) 

If data is collected on the basis of Art. 6 (1) 1 f GDPR (data processing for the purpose of our legitimate interests) or on the basis of Art. 6 (1) 1 e GDPR (data processing for the purpose of protecting public interests or in the exercise of official authority), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or if data is still needed for the establishment, exercise or defence of legal claims. 

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) 

According to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates data protection regulations. This right may be asserted in particular with a supervisory authority in the Member State of your habitual residence, your place of work or the place of the suspected infringement. 

Asserting your rights 

Unless otherwise described above, please contact us to assert your rights. You will find our contact details in our imprint. 

  1. Data Protection Officer 

Our Global Compliance Officer and external data protection officer are available to provide further information on data protection.  

JDE Global Compliance Officer  

privacy@jdecoffee.com 

 

FIRST PRIVACY GmbH,  

Konsul-Smidt-Str. 88, 28217 Bremen, Germany 

www.first-privacy.com 

office@first-privacy.com