Rules of Procedure for Complaints Procedure in Accordance with the German Act on Corporate Due Diligence Obligations in Supply Chains
McDonald’s is committed to high ethical standards and expects its employees to conduct themselves in an ethical manner. McDonald’s supply chain business partners are also held to high standards and must follow all applicable laws and regulations, including laws regarding human rights, dignity and respect, workplace safety and worker compensation and treatment.
The following Rules of Procedure establish a framework for employees and third parties to make reports through McDonald’s Business Integrity Line and for McDonald’s to adequately process such reports in compliance with the German Act on Corporate Due Diligence Obligations in Supply Chains.
2. Scope of the Rules of Procedure
These Rules of Procedure apply to all reports into the Business Integrity Line of suspected or actual violations against human rights or environmental protection laws in the McDonald’s Germany supply chain by McDonald’s, its employees or any of McDonald’s suppliers, whether direct or indirect, that are covered under the German Act on Corporate Due Diligence Obligations in Supply Chains. Such supply chain violations may include: Disregard of occupational health and safety (according to national regulations), child labor, discrimination on the basis of descent, disability, age, gender, religion; withholding of adequate wages (according to national regulations), soil, water or air pollution, harmful noise emissions and unacceptable water consumption, production or use of certain long-lived organic pollutants, and unauthorized import and export of waste.
3. Reporting Channels
Reports can be filed by anyone through McDonald’s Business Integrity Line. The Business Integrity Line may be reached in any of the following ways and reports may be made in multiple languages:
- Email the Business Integrity mailbox: firstname.lastname@example.org
- Call the Business Integrity Line toll-free: 8001816466 (Germany). Additional toll-free numbers for other jurisdictions may also be found on McDonald’s Business Integrity website
- Report Online: https://tnwgrc.com/mcd/
If you wish to remain anonymous, you will be free to do so (as permitted by local law). However, McDonald’s encourages anyone making a report to share their identity to assist with follow up and further investigation. All reports will be handled confidentially, subject to applicable legal and regulatory requirements. McDonald’s does not tolerate retaliation against those who raise concerns or make reports in good faith.
4. Procedure for handling a report filed through the Business Integrity Line
4.1. Receipt of the report
After filing a report through the Business Integrity Line, the reporter will receive a confirmation of receipt no later than seven days after filing the report.
If the reporter has filed a report online or via phone, they will receive credentials to allow them to follow-up and receive feedback on the report anonymously (if they choose to remain so).
4.2. Forwarding of reports
All reports made through the Business Integrity Line are initially reviewed by McDonald’s Global Compliance team. McDonald’s will treat all reports confidentially and in an unbiased manner.
4.3. Processing of reports
Global Compliance will conduct an initial assessment of the report to determine whether the allegations raised warrant escalation or further review. If the report contains insufficient information to enable Global Compliance to properly assess the allegations, Global Compliance will request additional information from the reporter. If the allegations are determined to be not substantiated or insufficient information is available to complete the investigation, the matter will be concluded.
The manner of conducting any investigation may vary depending on a number of factors, including the nature of the allegations raised, the parties allegedly involved, the preservation of the attorney-client privilege and applicability of the work product doctrine. Global Compliance may refer reports to, or seek assistance from, other departments, and may request additional information from the reporter if needed.
The duration of an investigation will depend on the complexity of the case, the necessary investigative measures and the availability of information or affected parties. Every effort will be made to conclude the investigation as efficiently and expeditiously as possible.
In cases where the investigation has concluded that a violation has occurred, recommendations will be made as to appropriate corrective or disciplinary action.
4.4. Communication with the reporter
The reporter may provide follow-up information to their initial report at any time either directly or by using the report credentials received via the Business Integrity Line’s Website. Alternatively, the person filing the report can follow-up to a report through the Business Integrity Line by phone using the credentials.
McDonald’s will also provide feedback on the proceedings to the reporter no later than three months following the filing of the initial report. Upon the reporter’s request, the reporter will also be informed when the proceedings have been closed.
5. No Retaliation
Anyone who engages in retaliatory action against any individual, including third parties, who report a concern or cooperate with an investigation will face discipline, which may include separation from the company.
McDonald’s likewise has taken steps to prevent retaliation in its supply chain through contractual safeguards with its suppliers, including adherence to its Supplier Code of Conduct which prohibits retaliation.
6. Data Privacy Information for Complaints Procedure in Accordance with the German Act on Corporate Due Diligence Obligations in Supply Chains
Who is responsible for data processing?
The controller responsible for processing personal data in the context of the complaints procedure is McDonald's Deutschland LLC, contactable at the following address:
McDonald's Deutschland LLC
81477 Munich, Germany
How can you contact our Data Protection Officer?
McDonald’s Deutschland LLC
- Datenschutzbeauftragter (Data Protection Officer) -
Drygalski-Allee 51, 81477 Munich, Germany
What types of personal data do we process and where does the data come from?
As part of the above-mentioned complaints procedure, we process the following data related to your person, unless you have decided to make an anonymous report:
- If applicable, first name and last name
- If applicable, your contact details (phone number / e-mail address) for any follow-up queries we may have
- Facts relating to the case and further statements provided by you which may possibly contain personal data
For which purposes and on what legal basis do we process personal data?
The purpose of the complaints procedure is to handle reports on actual or possible violations in accordance with the German Act on Corporate Due Diligence Obligations in Supply Chains (Lieferkettensorgfaltspflichtengesetz, LkSG). After you submit your report, you will receive a confirmation of receipt. We will thoroughly investigate your report. If we need further information and if you have provided your contact details, we will get in touch with you.
The legal basis for this is compliance with a legal obligation pursuant to Sections 8 and 9 of the German Act on Corporate Due Diligence Obligations in Supply Chains (LkSG) and Article 6 (1) (c) of the General Data Protection Regulation (GDPR).
Establishment, exercise or defense of legal claims
We store data related to a complaint and the processing thereof, also in the event that a legal claim is established, exercised or defended.
The legal basis for this is Article 6 (1) (f) GDPR (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data).
Our legitimate interest is the establishment, exercise or defense of legal claims.
Are you obliged to provide the data and are there consequences if you fail to do so?
You are not obliged to provide us with your data. The provision of data is not a statutory or contractual requirement. You may also submit an anonymous report at any time.
Does automated decision-making take place?
We do not carry out any automated decision-making based on your personal data pursuant to Article 22 (1) and (4) GDPR. This means that we do not use your personal data to make decisions based solely on automated processing of your data and which produce legal effects concerning you or which similarly significantly affect you.
Who receives what types of personal data from us and for what purpose?
Recipients responsible for handling complaints
Within McDonald’s Germany, the data can be accessed by the entities or individuals responsible for the confidential handling of the complaint in the context of serving the above-mentioned purpose. To support statutory compliance and remedial action, we disclose data to supervisory authorities, the courts, and other public authorities where appropriate.
Within McDonald’s Corporation, the data can be accessed by the entities or individuals responsible for the confidential handling of the complaint in the context of serving the above-mentioned purpose. McDonald’s Corporation supports McDonald’s Germany in the processing of reports, in conducting Group-wide investigations, and in ensuring compliance across the Group.
For the operation of the reporting system, McDonald’s Deutschland LLC uses the reporting tool from Navex of McDonald’s Corporation, 110 North Carpenter Street, Chicago, Illinois 60607, USA.
Do we transfer data to countries outside of the European Union and/or the European Economic Area?
To the extent that we transfer your personal data to countries outside of the European Union and/or the European Economic Area (known as third countries), we adopt measures pursuant to Articles 44 et seq. GDPR to ensure an adequate level of data protection.
For how long do we store personal data?
In principle, your data will be erased as soon as it is no longer required to achieve the specified purposes. In order to establish, exercise or defend legal claims, we store your data for a period of three years from the conclusion of the procedure.
What are your rights in relation to the processing of your personal data?
Right to object on grounds relating to your particular situation (Article 21 (1) GDPR)
Pursuant to Article 21 (1) GDPR, as a data subject you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1) (e) or (f) GDPR; including profiling based on those provisions.
If we receive an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject or for the establishment, exercise or defense of legal claims.
As a data subject, you also have the following rights with regard to the processing of your personal data:
- Right of access by the data subject (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (‘right to be forgotten’) (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
In order to exercise your rights, you can contact the controller using the contact details provided.
More information on the General Data Protection Regulation and your rights in relation to the processing of your personal data can be found in an online brochure published by the Federal Commissioner for Data Protection and Freedom of Information: BfDI-Homepage (bund.de).