McDonald’s Supplier Privacy Notice

(Applies to U.S. Suppliers Only)

Effective Date: January 1, 2023.

McDonald’s Corporation, McDonald’s USA, LLC, and their United States subsidiaries and affiliates (“McDonald’s”, “we”, “us” or “our”) are committed to protecting information that we collect from our suppliers, consultants, contractors, service providers and vendors (each, a “Supplier”) for Supplier-related purposes, and for the administration of our supply chain, consultant and vendor services-related functions. Moreover, we are mindful of privacy when we handle personal information of our Supplier’s personnel who are residents in the United States (“you” or “SupplierPersonnel”). This Privacy Notice (this “Notice”) describes McDonald’s practices regarding the collection, use, transfer, disclosure, and other handling of your personal information. This Notice may be updated from time to time to reflect changes in our personal information practices, and we will post a notice on McDonald’s internal or external websites to notify you of any material changes.

1. Scope

This Notice applies to Supplier and your Personnel who are residents in the United States only.

Please note that this Notice does not apply to customers, employees or franchisees of McDonald’s. If you are a US customer and wish to learn how we process our customers’ personal information, please review McDonald's US Customer Privacy Statement.

2. Information We Collect

McDonald’s collects, and we have collected in the past twelve (12) months, the following categories of personal information from Supplier Personnel:

(A) Identifiers and contact information such as a Supplier Personnel’s real name, academic title, salutation, suffix, alias, postal address, unique identification numbers, online identifier, email address, Social Security number, mobile telephone numbers, passport number, driver’s license, government-issued identification number, usernames and passwords (whether assigned by McDonald’s or selected by you), accounting and payment information such as VAT number, country, bank account, name of the account holder, reference details, SWIFT code, IBAN, bank name and address, terms of payment, accounting correspondence, or any other financial information (to the extent it qualifies as personal information) and any other similar identifiers.

(B) Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) that may identify, relate to, describe, or be capable of being associated with particular individuals, including, the “identifiers” listed in the preceding bullet point (A) and the following: date of birth, marital status, birth or marriage certificates, nationality, signature, and physical characteristics or description (e.g., photographs).

(C) Characteristics of protected classifications under California or federal law, collected to ensure diversity, equity, and inclusion within the Supplier network, such as information on race and ethnicity, religious or philosophical beliefs, sexual orientation, and disability status.

(D) Biometric information, including fingerprint and fingerprint templates that may be used in connection with securing and providing Supplier Personnel with access to certain McDonald’s systems and applications (“Systems”).

(E) Internet or other electronic network activity information, including, but not limited to, information regarding and/or collected automatically as part of your interaction with the Systems (as defined below); electronic content produced or received by you using the Systems (including documents, information, and emails and other electronic communications transmitted or received through the use of the Systems); information relating to your accounts held on the Systems, websites, or apps (including account profiles on McDonald’s websites or apps and data stored in relation to such accounts, e.g., rights and privileges, activity, preferences, or other information that may be associated with your account); and information received by McDonald’s if you sign into the Systems, websites, apps, or accounts using social media or other third-party tools. This also includes voicemails, emails, and other work product correspondence and communications created, stored, or transmitted using McDonald’s computers, devices, or other communications equipment.

(F) Geolocation data – If you use certain McDonald’s apps or websites, such apps or websites may collect location data.

(G) Audio, electronic, visual, or similar information such as photographs and information captured on security systems, including key card or other entry control systems and CCTV systems.

(H) Professional or employment-related information, including:

resumes, language capabilities, references.
title/position, department, region/location, work-related contact details, technical skills, and emergency contact information.
Acknowledgements regarding McDonald’s policies, such as our Standards of Business Conduct, as well as information provided pursuant to McDonald’s policies such as information regarding potential conflicts of interest or similar compliance-related information.
Where permitted by law and pursuant to the Supplier Agreement (defined below), the results of criminal background checks, drug and alcohol testing and other screening procedures performed on Supplier Personnel.
Any information needed to comply with McDonald’s policies or other reporting obligations, or requests from any court, governmental entities, or law enforcement authorities.
Information on the Supplier agreement concluded with McDonald’s (“Supplier Agreement”), including commercial terms, legal terms and any other contractual documentation, information about contract performance, instances of non-performance and information about the expiration and termination of the Supplier Agreement (to the extent it qualifies as your personal information).
Financial data and performance-related data of the relevant Supplier, financial records, quality assurance and quality control documents, and other information relevant for an audit (to the extent it qualifies as your personal information).

(I) Education information, defined as information that is not publicly available, personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99). This includes details contained in letters of application and resumes/CVs such as institutions attended and performance.

(J) Inferences drawn from any of the information identified in this section to create a profile about a person reflecting the person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

(K) Sensitive personal information such as government-issued ID (e.g., Social Security, driver’s license, or passport number), account login or payment card information in combination with credentials allowing access to the account, precise geolocation data, certain characteristics of protected classifications such as racial or ethnic origin, contents of mail, email, and text messages, and biometric data, in each case as further described above in the relevant categories.

We collect this personal information: (1) directly from you when you provide information to us, for example, when you respond to a request for proposal, use our Systems, websites, or apps, or contact us; (2) indirectly from your computers, devices, or other communications equipment when you communicate with our Systems or applications; (3) from our security systems, including key card or other entry control systems and CCTV systems; and (4) from publicly available sources.

3. Purposes for Which These Categories of Information Are Collected

We use your personal information for various business purposes which include purposes disclosed in this Notice or purposes compatible with the context in which the personal information was collected. For example, business purposes include auditing, helping to ensure security and integrity, debugging, short-term, transient use, performing services, undertaking internal research for technological development and demonstration or undertaking activities to verify or maintain the quality or safety of a service or device. We also use your personal information for the following purposes:

assessment of a potential Supplier’s suitability as a Supplier as part of our Supplier due diligence process;
management, administration and oversight of the Supplier relationship with McDonald’s;
supply chain management and collaboration;
strategic sourcing and procurement;
contract lifecycle management, invoice management, and payment to Suppliers;
spend analysis and dynamic pricing;
service and product quality management and audits;
provision and facilitation of access to McDonald’s and McDonald’s vendor’s systems and applications utilized during the course of the Supplier relationship (including identity and access management or in-restaurant technologies);
monitoring the security and use of our networks, communications and Systems, offices and facilities, property and infrastructure, and information security services;
reporting and statistical analysis (e.g., System usage and content access);
compliance with legal and regulatory obligations such as compliance with anti-money laundering and trade sanction-related requirements, including record-keeping and reporting obligations;
dispute and complaint resolution, internal investigations and reviews, auditing, compliance with internal policies, and risk management; and
establishing, exercising, or defending against legal claims.

To the extent any envisioned use is inconsistent with or outside of the contemplated uses in this Notice, we will communicate that to you as required by law.

We may de-identify personal information about you or receive de-identified personal information about you, and we may use and disclose such information for any purposes in accordance with applicable law. We will maintain de-identified information in de-identified form, and will not re-identify such information, except in accordance with the requirements of applicable law. Deidentified or aggregate information is not personal information.

4. Disclosures of Personal Information

We may disclose your personal information to our affiliates (including non U.S affiliates) and third parties as appropriate for any purposes described in this Notice. In general, we disclose personal information to the following categories of third parties:

Members of the McDonald’s Family, including McDonald’s Corporation, McDonald’s USA LLC’s, and each of their respective subsidiaries and affiliates, and McDonald’s franchisees within and outside the United States;
Vendors and service providers who help McDonald’s operate our business;
Public authorities and courts;
Buyers or other parties involved in a corporate transaction if we decide to sell or transfer all or part of our business or assets;
Professional advisers such as our legal representatives, auditors, and insurance brokers; and
Other business partners if they are involved in human resources or recruiting matters.

We disclose, and have disclosed in the past twelve (12) months, personal information of Supplier Personnel for purposes described below:

To manage the Supplier relationship as described in this Notice, your personal information may be shared with McDonald’s employees, certain McDonald’s subsidiaries, and the relevant McDonald’s franchisees.
To engage vendors to assist us with processing the personal information subject to this Notice, we may disclose your personal information to our vendors.
To comply with legal obligations or in connection with legal claims, we may disclose your personal information to public authorities, courts, or our professional advisers for the following specific purposes:
- Cooperation with law enforcement agencies concerning conduct or activity that may violate federal, state or local law;
- Establishing, exercising or defending against legal claims;
- Compliance with McDonald’s policies and legal obligations;
- Dispute and complaint resolution, enabling compliance reporting, internal investigations and reviews, auditing, and compliance and risk management;
- Preventing illegal, wrongful or unethical conduct in the conduct of the McDonald’s business;
- Protecting the health and safety of Supplier, Supplier’s employees, and others;
- Safeguarding and maintaining the security of our premises, assets, IT systems, and infrastructure;
- Compliance with record-keeping and reporting obligations; and
- Compliance with civil, criminal, or regulatory inquiries, investigations, subpoenas, or summons by federal, state or local authorities.
In the event of a merger or acquisition, asset sale, a transfer of some or all of McDonald’s business, or other related transaction, we may disclose your personal information to the parties involved in the transaction.
When we believe in good faith that a disclosure is required by law or to protect the safety of our employees, Suppliers, Suppliers’ employees, our franchisees and their employees, the public, or McDonald’s or our franchisees’ property, we may disclose your personal information to law enforcement agencies.

As is common practice among businesses that operate Internet websites and mobile apps, within the past 12 months, we may have disclosed certain identifiers such as email addresses and pseudonymized identifiers, information about the use of our websites and apps, and inferences drawn about you to our analytics partners. Under certain state laws, this may be considered to be a sale of personal information for consideration or a sharing of personal information for cross-context behavioral advertising.

5. Security

We maintain technical, physical, and organizational security measures that are designed to protect against unauthorized access, disclosure, damage, or loss of personal information. However, the collection, transmission, and storage of information can never be guaranteed to be completely secure. Please take steps to secure your access credentials such as login name and password, and do not share them with anyone.

6. Retention

Unless a specific retention period is mandated or permitted under applicable law, McDonald’s will only retain your personal information for the duration of time necessary to fulfill the purposes described in this Notice. This means that, in some cases, we may retain your personal information for a period of time following termination of your relationship with McDonald’s pursuant to our retention policy.

7. Notice of Monitoring of McDonald’s IT Systems

We may provide you with access to information technology systems, networks, and/or applications owned or operated by McDonald’s (the “Systems”) so you can communicate and collaborate with us. Please note that McDonald’s may monitor and record your use of these Systems, including activity you conduct while using the Systems, emails, and other electronic communications sent, received, or stored through these Systems, in order to operate the Systems, to evaluate your use of the Systems, for compliance and audit purposes, and to protect against fraud, illegal activity, violation of McDonald’s policies, or misuse of the Systems or McDonald’s information assets or other property. Accordingly, you should not have any expectation of privacy in connection with your use of the Systems.

8. Your Obligations

Please help keep your personal information up to date and inform us of any significant changes to your personal information. Further, when handling personal information about others in the course of your provision of services to McDonald’s, you must follow the law and McDonald’s policies, standards, and procedures that are brought to your attention. In particular, you must not access or use any such personal information for any purpose other than in connection with, and to the extent necessary for, your work with McDonald’s. Your obligation to keep the personal information of others confidential continues after termination of your relationship with McDonald’s.

9. Your California Privacy Rights

If you are a California resident, you have additional rights. We will honor requests received to the extent required by applicable law and within the time provided by law.

a. Right to Access, Right to Know, Right to Correct, and Right to Delete.

Right to Access and Right to Know. You have the right to request that we disclose the following to you, in each case in the twelve-month period preceding your request:
- the categories of personal information we have collected about you;
- the categories of sources from which the personal information is collected;
- our business or commercial purpose for collecting, selling, or sharing personal information;
- the categories of third parties to whom we disclose personal information;
- the specific pieces of information we have collected about you;
- the categories of personal information about you, if any, that we have sold or shared, and the categories of third parties to whom we have sold or shared the information, by category or categories of personal information for each category of third party to whom we sold or shared the personal information; and
- the categories of personal information about you that we disclosed for a business purpose, and the categories of recipients to whom we disclosed the information for a business purpose.

As used above, “shared,” “selling” and “sharing” have the meanings provided in the California Consumer Privacy Act of 2018 as amended. Please note that we do not sell, and within the last 12 months, we have not sold, personal information, including personal information of individuals under 16 years of age.

Right to Correct. You have the right to request that we correct inaccurate personal information that we have collected about you.
Right to Delete. You have the right to request that we delete personal information about you that we have collected from you. Please note however that we may decline your requests under certain exceptional circumstances permitted under the law and we will communicate such exceptions where they apply.

For requests made in connection with the Right to Access, Right to Know, Right to Correct, and/or Right to Delete, please note:

As required or permitted under applicable law, we may take steps to verify your request before we can provide personal information to you, correct or delete personal information, or otherwise process your request. To verify your request, you must provide your name, email address, and state of residence, and you may also have the option to provide your phone number. If we believe we need further information to verify your request as required by law, we may ask you to provide additional information to us.
We will process your request within 45 days after receipt of a verifiable request, unless we notify you that we require additional time to respond, in which case we will respond within such additional period of time required by law. If your request involves us providing personal information to you, we will deliver the personal information to you electronically or by mail at your option. If electronically, then we will deliver the information to you, or at your request to another entity, in a portable and, to the extent technically feasible, structured, commonly used, machine-readable format that allows you to transmit the information from one entity to another without hindrance.

b. Right to Non-Discrimination. We may not discriminate against you because of your exercise of any of the foregoing privacy rights, or any other rights under the California Consumer Privacy Act, including by:

Denying or delaying access to the Systems that you need for the provision of services to McDonald’s;
Suggesting that you will be penalized or be paid different prices, fees or rates for your goods or services;
Suggesting that the engagement of your services may be terminated.

Requests to Exercise Your Rights

You may request to exercise these rights by:

Submitting a request through McDonald’s Privacy Rights Center.
Emailing us at supplierprivacy@us.mcd.com.

As required or permitted under applicable law, please note that we may take steps to verify your identity before granting you access to information or acting on your request to exercise your rights. We may limit our response to your exercise of the above rights as permitted under applicable law.

Agent Authorization

You may designate a power of attorney or an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf. Your agent or a person who has power of attorney may contact us as set forth below in “How to Contact Us” to make a request on your behalf. Even if you choose to use an agent, as permitted by law, we may require verification of the agent’s authorization to act on your behalf, require you to confirm you have authorized the agent to act on your behalf, or require you to verify your own identity.

10. Disability Accessibility

If you are a user with a disability, or an individual assisting a user with a disability, and have difficulty accessing or navigating our digital channels – including this Notice – please contact us at accessibility@us.mcd.com. You can also review our Accessibility Statement.