1. Introduction
McDonald’s Corporation, McDonald’s USA, LLC, and their United States subsidiaries and affiliates (“McDonald’s”, “we”, “us”, or “our”) are committed to protecting information that we collect from our suppliers, consultants, contractors, service providers, and vendors (each, a “Supplier”) for Supplier-related purposes, and for the administration of our supply chain, consultant, and vendor services-related functions. Moreover, we are mindful of privacy when we handle personal information of our Supplier’s personnel who are residents in the United States (“you” or “Supplier Personnel”). This McDonald’s Supplier Privacy Statement (this “Statement”) describes McDonald’s practices regarding the collection, use, transfer, disclosure, and other handling of Suppliers and Supplier Personnel’s personal information. This Statement may be updated from time to time to reflect changes in our personal information practices, and we will notify you of any significant changes consistent with the “Changes to This Statement” Section below.
Please note that we do not sell or share, and within the last 12 months have not sold or shared, Suppliers or Supplier Personnel’s personal information, including personal information of individuals under 16 years of age.
2. Scope
This Statement applies to our prospective, current, and former Suppliers and Supplier Personnel who are residents of the United States only.
Please note that this Statement does not apply to customers, employees, or franchisees of McDonald’s. If you are a customer and wish to learn how we process our customers’ personal information, please review McDonald's Global Customer Privacy Statement.
3. Information We Collect
We collect personal information for the administration and management of our Supplier relationships. The actual personal information collected will vary depending on your status as a prospective, current, or former Supplier as well as the nature of your position and role.
In the normal course of business, we collect, and have collected in the past twelve (12) months, the following categories of personal information about Suppliers and Supplier Personnel for the purposes set out below under “Purposes for Which Your Personal Information Is Collected and Processed”:
- Identifiers and contact information such as a Supplier Personnel’s real name, academic title, salutation, suffix, alias, postal address, unique identification numbers, online identifier, email address, Social Security number, mobile telephone numbers, passport number, driver’s license, government-issued identification number, usernames and passwords (whether assigned by McDonald’s or selected by you), accounting and payment information such as country, bank account, name of the account holder, reference details, SWIFT code, bank name and address, terms of payment, accounting correspondence, or any other financial information (to the extent it qualifies as personal information) and any other similar identifiers.
- Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) that may identify, relate to, describe, or be capable of being associated with particular individuals, including, the “identifiers” listed in the preceding bullet point and the following: date of birth, marital status, birth or marriage certificates, nationality, signature, and physical characteristics or description (e.g., photographs).
- Characteristics of protected classifications under California or federal law, collected to ensure diversity, equity, and inclusion within the Supplier network, such as information on race and ethnicity, religious or philosophical beliefs, sexual orientation, and disability status.
- Biometric information, including fingerprint and fingerprint templates that may be used in connection with securing and providing Supplier Personnel with access to Systems.
- Internet or other electronic network activity information, including, but not limited to, information regarding and/or collected automatically as part of your interaction with the Systems (as defined below); electronic content produced or received by you using the Systems (including documents, information, and emails and other electronic communications transmitted or received through the use of the Systems); information relating to your accounts held on the Systems, websites, or apps (including account profiles on McDonald’s websites or apps and data stored in relation to such accounts, e.g., rights and privileges, activity, preferences, or other information that may be associated with your account); and information received by McDonald’s if you sign into the Systems, websites, apps, or accounts using social media or other third-party tools. This also includes voicemails, emails, and other work product correspondence and communications created, stored, or transmitted using McDonald’s computers, devices, or other communications equipment.
- Geolocation data – If you use certain McDonald’s apps or websites, such apps or websites may collect location data.
- Audio, electronic, visual, or similar information such as photographs and information captured on security systems, including key card or other entry control systems and CCTV systems.
- Professional or employment-related information, including:
- Resumes, language capabilities, references.
- Title/position, department, region/location, work-related contact details, technical skills, and emergency contact information.
- Acknowledgements regarding McDonald’s policies, such as our Standards of Business Conduct, as well as information provided pursuant to McDonald’s policies such as information regarding potential conflicts of interest or similar compliance-related information.
- Where permitted by law and pursuant to the agreement between Supplier and McDonald’s, the results of criminal background checks, drug and alcohol testing and other screening procedures performed on Supplier Personnel.
- Any information needed to comply with McDonald’s policies or other reporting obligations, or requests from any court, governmental entities, or law enforcement authorities.
- Information on the Supplier agreement concluded with McDonald’s, including commercial terms, legal terms, and any other contractual documentation, information about contract performance, instances of non-performance and information about the expiration and termination of such agreement (to the extent it qualifies as your personal information).
- Financial data and performance-related data of the relevant Supplier, financial records, quality assurance and quality control documents, and other information relevant for an audit (to the extent it qualifies as your personal information).
- Education information, defined as information that is not publicly available, personally identifiable information as defined in the Family Educational Rights and Privacy Act. This includes details contained in letters of application and resumes/CVs such as institutions attended and performance.
- Inferences drawn from any of the information identified in this section to create a profile about a person reflecting the person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- Sensitive personal information such as government-issued ID (e.g., Social Security, driver’s license, or passport number), account login or payment card information in combination with credentials allowing access to the account, precise geolocation data, certain characteristics of protected classifications such as racial or ethnic origin, contents of mail, email, and text messages, and biometric data, in each case as further described above in the relevant categories.
We collect personal information: (1) directly from you when you provide information to us, for example, when you respond to a request for proposal, use our Systems, websites, or apps, or contact us; (2) indirectly from your computers, devices, or other communications equipment when you communicate with our Systems or applications; (3) from our security systems, including key card or other entry control systems and CCTV systems; and (4) from publicly available sources.
4. Purposes for Which Your Personal Information Is Collected and Processed
We collect and use your personal information for various business purposes which include purposes disclosed in this Statement or purposes compatible with the context in which the personal information was collected. For example, business purposes include auditing, helping to ensure security and integrity, debugging, short-term, transient use, performing services, undertaking internal research for technological development and demonstration, or undertaking activities to verify or maintain the quality of safety of a service or device. We also use your personal information for the following purposes:
- Assessment of a potential Supplier’s suitability as a Supplier as part of our Supplier due diligence process;
- Management, administration, and oversight of the Supplier relationship with McDonald’s;
- Supply chain management and collaboration;
- Strategic sourcing and procurement;
- Contract lifecycle management, invoice management, and payment to Suppliers;
- Spend analysis and dynamic pricing;
- Service and product quality management and audits;
- Provision and facilitation of access to McDonald’s and McDonald’s vendor’s systems and applications utilized during the course of the Supplier relationship (including identity and access management or in-restaurant technologies);
- Monitoring the security and use of our networks, communications and Systems, offices and facilities, property and infrastructure, and information security services;
- Reporting and statistical analysis (e.g., System usage and content access);
- Compliance with legal and regulatory obligations such as compliance with anti-money laundering and trade sanction-related requirements, including record-keeping and reporting obligations;
- Dispute and complaint resolution, internal investigations and reviews, auditing, compliance with internal policies, and risk management; and
- Establishing, exercising, or defending against legal claims.
We may also monitor visits to our websites or mobile apps and sessions of Suppliers or Supplier Personnel; this monitoring may log the details of your visits to our websites or mobile apps and information generated in the course of using our websites or mobile apps, such as mouse movements, clicks, page visits, text entered, how long you spent on a page, and other details of your visits to or actions on our websites or mobile apps. We may also share any of the data collected by these technologies with third parties for our business purposes.
To the extent any envisioned use is inconsistent with or outside of the contemplated uses in this Statement, we will communicate that to you as required by law.
We may de-identify personal information about you or receive de-identified personal information about you, and we may use and disclose such information for any purposes in accordance with applicable law. We will maintain de-identified information in de-identified form, and will not re-identify such information, except in accordance with the requirements of applicable law. De-identified or aggregate information is not personal information.
5. Disclosures of Personal Information
In order to fulfill the purposes, set out further above, we disclose Suppliers’ personal information to other McDonald’s entities or franchisees of McDonald’s entities (collectively, “McDonald’s Family”).
We also disclose personal information to various third parties outside of the McDonald’s Family for the purposes set out further above. These third parties include:
- Members of the McDonald’s Family, including McDonald’s Corporation, McDonald’s USA LLC, and each of their respective subsidiaries and affiliates, and McDonald’s franchisees within and outside the United States; Vendors and service providers who help McDonald’s operate our business;
- Public authorities and courts;
- Buyers or other parties involved in a corporate transaction if we decide to sell or transfer all or part of our business or assets;
- Professional advisers such as our legal representatives, auditors, and insurance brokers; and
- Other business partners if they are involved in human resources or recruiting matters.
We disclose, and have disclosed in the past twelve (12) months, personal information of Supplier Personnel for the purposes described below:
- To manage the Supplier relationship as described in this Statement, personal information may be disclosed to McDonald’s employees, certain McDonald’s subsidiaries, and the relevant McDonald’s franchisees;
- To engage vendors to assist us with processing the personal information subject to this Statement, we may disclose personal information to our vendors;
- To comply with legal obligations or in connection with legal claims, we may disclose personal information to public authorities, courts, or our professional advisers;
- For cooperation with law enforcement agencies concerning conduct or activity that may violate federal, state, or local law;
- For establishing, exercising, or defending against legal claims;
- For compliance with McDonald’s policies and legal obligations;
- For dispute and complaint resolution, enabling compliance reporting, internal investigations and reviews, auditing, and compliance and risk management;
- For preventing illegal, wrongful, or unethical conduct in the conduct of the McDonald’s business;
- For protecting the health and safety of Supplier, Supplier Personnel (including Supplier’s employees), and others;
- For safeguarding and maintaining the security of our premises, assets, IT systems, and infrastructure;
- For compliance with record-keeping and reporting obligations;
- For compliance with civil, criminal, or regulatory inquiries, investigations, subpoenas, or summons by federal, state, or local authorities;
- In the event of a merger or acquisition, asset sale, a transfer of some or all of McDonald’s business, or other related transaction, we may disclose your personal information to the parties involved in the transaction; and
- When we believe in good faith that a disclosure is required by law or to protect the safety of our employees, Suppliers, Supplier Personnel (including Suppliers’ employees), our franchisees and their employees, the public, or McDonald’s or our franchisees’ property, we may disclose personal information to law enforcement agencies.
6. Security
We use technical, physical, and organizational security measures designed to protect against unauthorized access, disclosure, damage, or loss of personal information. The collection, transmission, and storage of information can never be guaranteed to be completely secure. Please take steps to secure your access credentials such as login name and password, and do not share them with anyone. We take steps designed to implement applicable security safeguards internally and with our third party service providers to protect your information.
7. Retention of Personal Information
Unless a specific retention period is mandated or permitted under applicable law, McDonald’s will only retain personal information for the duration of time necessary to fulfill the purposes described in this Statement. This means that we may retain your personal information, including sensitive personal information, for a period of time following termination of the Supplier relationship with McDonald’s pursuant to our retention policy. Our retention policies reflect applicable laws.
8. Notice of Monitoring of McDonald’s IT Systems
We may provide you with access to information technology systems, networks, and/or applications owned or operated by McDonald’s (the “Systems”) so you can communicate and collaborate with us. Please note that McDonald’s may monitor and record your use of these Systems, including activity you conduct while using the Systems, emails, and other electronic communications sent, received, or stored through these Systems, in order to operate the Systems, to evaluate your use of the Systems, for compliance and audit purposes, and to protect against fraud, illegal activity, violation of McDonald’s policies, or misuse of the Systems or McDonald’s information assets or other property. Accordingly, you should not have any expectation of privacy in connection with your use of the Systems.
9. Your California Privacy Rights
If you are a California resident, you have additional rights. We will honor requests received to the extent required by applicable law and within the time provided by law.
Right to Access, Right to Know, Right to Correct, and Right to Delete.
- Right to Access and Right to Know. You have the right to request that we disclose the following to you:
- the categories of personal information we have collected about you;
- the categories of sources from which the personal information is collected;
- our business or commercial purpose for collecting, selling, or sharing personal information;
- the categories of third parties to whom we disclose personal information;
- the specific pieces of information we have collected about you;
- the categories of personal information about you, if any, that we have sold or shared, and the categories of third parties to whom we have sold or shared the information, by category or categories of personal information for each category of third party to whom we sold or shared the personal information; and
- the categories of personal information about you that we disclosed for a business purpose, and the categories of recipients to whom we disclosed the information for a business purpose.
- Right to Correct. You have the right to request that we correct inaccurate personal information that we have collected about you.
- Right to Delete. You have the right to request that we delete personal information about you that we have collected from you.
Please note that we may decline your requests under certain circumstances permitted under the law and we will communicate such exceptions where they apply.
For requests made in connection with the Right to Access, Right to Know, Right to Correct, and/or Right to Delete, please note:
- As required or permitted under applicable law, we may take steps to verify your request before we can provide personal information to you, correct, or delete personal information, or otherwise process your request. To verify your request, you must provide your name, email address, and state of residence, and you may also have the option to provide your phone number. If we believe we need further information to verify your request as required by law, we may ask you to provide additional information to us.
- We will process your request within 45 days after receipt of a verifiable request, unless we notify you that we require additional time to respond, in which case we will respond within such additional period of time required by law. If your request involves us providing personal information to you, we will deliver the personal information to you electronically or by mail at your option. If electronically, then we will deliver the information to you, or at your request to another entity, if applicable in a portable and, to the extent technically feasible, structured, commonly used, machine-readable format that allows you to transmit the information from one entity to another without hindrance.
Right to Non-Discrimination. We may not discriminate against you because of your exercise of any of the foregoing privacy rights, or any other rights under the California Consumer Privacy Act, including by: Denying or delaying access to the Systems that you need for the provision of services to McDonald’s; Suggesting that you will be penalized or be paid different prices, fees or rates for your goods or services; or Suggesting that the engagement of your services may be terminated.
10. Requests to Exercise Your Rights
You may request to exercise your rights by:
Metrics Regarding Privacy Requests
We publish metrics relating to our handling of California rights requests in the previous calendar year, including requests submitted by Suppliers, in our California Privacy Notice
The following metrics relate to our handling of California rights request received from all individuals in the U.S. who identified themselves as current Supplier or former Supplier in the period from January 1, 2023 to December 31, 2023.
Right to Know/Access
- Requests Received: 5
- Requests Completed: 4
- Requests Not Completed: 1
- Median Number of Days to Complete: 10
Right to Delete
- Requests Received: 5
- Requests Completed: 4
- Requests Not Completed: 1
- Median Number of Days to Complete: 10
Update Data
- Requests Received: 4
- Requests Completed: 3
- Requests Not Completed: 1
- Median Number of Days to Complete: 10.5
11. Accessibility
If you are a user with a disability, or an individual assisting a user with a disability, and have difficulty accessing or navigating our digital channels – including this Statement – please contact us at accessibility@us.mcd.com. You can also review our Accessibility Statement.
12. Do Not Track
Please note that our websites and mobile apps are not designed to respond to “do not track” requests from web browsers.
13. How to Contact Us
If you have any questions or concerns in relation to our collection and management of your information or this Statement, you can reach us at:
Privacy at McDonald's, Dept. 282
110 North Carpenter Street
Chicago, IL 60607-2101, USA
contact.privacy@us.mcd.com
14. Changes to This Statement
From time to time we may change, modify, or amend this Statement in order to comply with the evolving regulatory environment or reflect the way we operate our business. Subject to any applicable legal requirements to provide additional notice and/or obtain consent, any changes to this Statement will be communicated to you through existing McDonald’s communication channels and resources.