II. Your Privacy Globally
The data controller of your personal information is the McDonald’s entity in the jurisdiction where your personal information is collected (“we” or “us”). Please refer to the applicable country specific addendum for more information.
If you are a customer in a country not listed above, please visit the country’s McDonald’s website for the applicable Privacy Statement.
Many of our restaurants are owned and operated by franchisees, who are independent businessmen and women. This Privacy Statement does not apply to our franchisees or to websites or mobile apps that they operate. Please reference our franchisees’ privacy notices for information on how they collect and use customer information.
- Information We Collect
- How We Use The Information We Collect
- How We Share The Information We Collect
- Children's Privacy Notice
- Your Choices and Rights
- Use Of Our Online Services And Other Technology
- Links To Other Websites And Social Media
- Information Security
- Retention
- International Data Transfers
- Changes To Our Privacy Statement
- How To Contact Us
1. Information We collect
We may collect personal information about you when you visit our restaurants, use our websites or mobile apps (“online services”), and otherwise interact with us (collectively, “services”). The information we collect falls into three categories: (a) information you provide to us; (b) information we collect through automated methods when you use our services; and (c) information we collect from other sources (see below).
Generally, you are under no obligation to provide your personal information. However, in certain cases, we may be unable to provide you with our services unless you provide your personal information.
We may combine the information you provide to us with information that is collected through automated methods, and with information we receive from other sources. For example, when you add a method of payment to your profile in our mobile app, we may combine your profile with information we receive from our payment processors or other providers regarding transactions made with the same payment credentials in our restaurants.
We collect information you provide to us
You may provide the following information to us, depending on how you interact with us:
- personal details, such as your name, postal and email addresses, phone number, birthday information and other contact information, when you register with our online services, log-in to Wi-Fi, enter one of our competitions, or contact us by phone or through our online services;
- demographic information such as age or gender;
- transaction information, including information about the products you buy, prices, method of payment and payment details;
- account information, such as your username or password (or anything else that identifies you) used to access our online services or to buy or use our products and services;
- profile information, including products and services you like, or times you prefer to visit us; and
- other personal information you choose to provide us when you interact with us (including through social media).
We collect information through automated methods
We may use automated technology to collect information from your computer system or mobile device when you visit our restaurants, use our online services, or in-restaurant technology. Automated technology may include cookies, local shared objects, and web beacons. There is more information below about cookies and other technologies in Section 6.
We may collect information about your:
- internet protocol (IP) address;
- computer or mobile-device operating system and browser type;
- type of mobile device and its settings;
- device identifier for vendors (IDFV);
- unique device identifier (UDID) or mobile equipment identifier (MEID) of your mobile device;
- device and component serial numbers;
- advertising identifiers (for example, an Identifier for Advertising (IDFA) on Apple devices) or similar identifiers;
- referring webpage (a page that has led you to ours) or application;
- online activity on other websites, applications or social media;
- visits to our restaurants, where recorded using digital technology (e.g. video recordings); and
- activity related to how you use our online services or in-restaurant technology, such as the pages you visit on our websites or in our mobile apps.
Our online services and in-restaurant technology may collect information about the exact location of your mobile device or computer using geolocation and technology such as GPS, Wi-Fi, Bluetooth, or cell tower proximity. For most mobile devices and computer systems, you can disable the collection of this information by using the device or web-browser settings. If you have any questions about how to prevent us from collecting exact information about your location, we recommend you contact your mobile-device service provider, the device manufacturer, or your web-browser provider. Some online services and in-restaurant technology may not work properly without information about your location.
We collect information from other sources
We may collect information about you from our business partners and vendors (e.g., food delivery platforms, data providers, or payment processors) or from public sources (e.g., your public social media posts).
Back to Top
2. How We Use the Information We Collect
We use the information we collect for the following purposes:
- to provide our products and services and contract with you, including payment processing and customer support;
- to manage our relationship with you, including feedback management and customer surveys;
- to personalize and improve our products and services and your overall customer experience, in particular by improving our existing technologies and developing new products and services and employing profiling technology (unless we notify you separately thereof, this will not include automated individual decisions that have legal effects for you or similarly significantly affect you);
- to provide you with general and personalized electronic and non-electronic direct marketing information and support our targeted advertising initiatives concerning our products and services as well as our business partners’ products and services (including promotions, contests, prize draws, competitions and sweepstakes);
- business analytics, including consumer and operations research, to assess the effectiveness of our sales, online service, marketing, and advertising, and to analyze market trends and (future) customer demand;
- to ensure the security of our online services and in-restaurant technology, including the detection, prevention, and investigation of attacks;
- to protect against, identify and prevent fraud and other crime, claims and other liabilities;
- to protect the rights, safety, health, and security of our customers, our employees, our franchisees, and the general public, and to protect our property;
- to anonymize your information for further internal and external use in a manner that does not identify you;
- to comply with legal obligations and our Standards of Business Conduct; and
- to establish, exercise or defend a legal claim.
We may use the information we collect about you in other ways, which we will tell you about at the time we collect it or before we begin using it for those other purposes.
If we are established in the EU or the European Economic Area (“EEA”) or are otherwise subject to the General Data Protection Regulation (“GDPR”), we process your personal information on the basis of:
- the necessity to perform a contract we have concluded with you or the necessity to take steps at your request prior to entering into such a contract (Article 6(1)(b) GDPR);
- our prevailing legitimate interest to personalize and improve your overall customer experience and achieve the purposes set out above (Article 6(1)(f) GDPR);
- the necessity to comply with legal obligations to which we are subject (Article 6(1)(c) GDPR); or in some cases,
- your consent for which we may ask you in a separate process (Article 6(1)(a) GDPR).
Back to Top
3. How We Share the Information We Collect
We do not sell your personal information and only share your information as described in this Privacy Statement or as otherwise communicated to you at the time we collect your information.
Please note that some US state statutes may define a “sale” to include sharing of personal information with third parties for valuable consideration. Many companies have common arrangements with online advertising networks and analytics companies that may potentially be considered sales under these definitions. Please reference our Additional Notice for California Consumers in the US Country Specific Addendum (below) for more information.
We may share your personal information with
- members of the McDonald's Family: The McDonald's Family consists of McDonald’s Corporation and McDonald’s Global Markets LLC, and their affiliates and subsidiaries (“McDonald’s Entities”), and franchisees of McDonald’s Entities;
- vendors who help us operate our business (including information technology service providers and marketing agencies that we use as well as those who use the information to detect or prevent fraud for us, and who may use the information to provide fraud detection and prevention services to others);
- public authorities and courts;
- buyers or other parties involved in a corporate transaction if we decide to sell or transfer all or part of our business;
- our professional advisers such as our legal representatives, auditors and insurance brokers; and
- business partners if they are involved in your customer experience, including product or service delivery (e.g., food delivery platforms).
Back to Top
4. Children's Privacy Notice
We understand how important it is to protect your privacy when you use our online services. We are especially committed to protecting the privacy of children who visit or use our online services. For more information on how a specific country protects children’s privacy, please see the country specific addendum.
We urge parents to regularly monitor and supervise their children's online activities. If you have any questions about our children’s privacy practices, please contact us at our Global or Local Data Protection Office using the contact information provided below. If you are contacting a Local Data Protection Office, please choose the office in the country in which you are a customer.
Back to Top
5. Your Choices and Rights
Marketing Communications
If you are subscribed to our marketing communications, you can later opt out by following the opt-out instructions in the marketing communications we send you. You can also generally find your communication preferences with instructions on how to opt out in the profile section of the online services that you use. You may also have the ability to change your communication preferences using your device settings. You can also opt out by contacting us at our Global or Local Data Protection Office using the contact information provided below. If you are contacting a Local Data Protection Office, please choose the office in the country in which you are a customer.
If you do opt out of receiving marketing communications from us, we may still send communications to you about your transactions, any accounts you have with us, and any contests, competitions, prize draws or sweepstakes you have entered. Opting out of one form of communication does not mean you have opted out of other forms as well. For example, if you opt out of receiving marketing emails, you may still receive marketing text messages if you have opted in to receiving them. Please note that if you are receiving communications from a McDonald’s franchisee, then you will need to opt out from them directly.
We do not share personal information with third parties for their own direct marketing purposes, unless you give us permission to do so. When we give you notice, and you consent, we will share your personal information as you direct us to.
Your Personal Information Rights
Under applicable law, you may have the rights (under the conditions and to the extent set out in applicable law):
- to check whether and what kind of personal information we hold about you and to access or to request copies of such data;
- to request correction, supplementation, anonymization, blocking or deletion of information about you that is inaccurate, incomplete, outdated, unnecessary, excessive or processed in non-compliance with applicable requirements;
- to request the restriction of the collection, processing or use of information about you;
- in certain circumstances, to object for legitimate reasons to the processing of your information or to revoke consent previously granted for the processing while the latter does not affect the lawfulness of processing before the revocation;
- to request data portability; and
- to lodge a complaint with the competent authority.
For more information regarding these rights, and the countries where these rights are available, please see the country specific addendum.
Back to Top
6. Use of Our Online Services and Other Technology
We and our vendors may use cookies, web beacons and other similar technologies on our online services and in other areas related to our business, such as online advertising, to collect information and provide you with the services or products that you have requested.
Cookies and other technologies
A “cookie” is a small text file that is placed onto an Internet user’s web browser or device and is used to remember and/or obtain information about the user.
A “web beacon” is a small object or image that is embedded into a web page, application, or email and is used to track activity. They are also sometimes referred to as pixels and tags.
Please note the following:
- You might be assigned a cookie when using our online services.
- We offer certain features that are available only through the use of cookies and other similar technologies.
- We may use both session (for the duration of your visit) and persistent (for the duration of a fixed period of time) cookies and other tracking technologies.
- Our online services and other areas related to our business may have web beacons.
Both we and selected third parties (such as our advertising networks) may use these technologies to collect information about your online activities, over time and across third-party websites and devices, and when using our online services to further personalize your experience with us.
Use the options in your web browser if you do not wish to receive a cookie or if you wish to set your browser to notify you when you receive a cookie. Click on the “Help” section of your browser to learn how to change your cookie preferences. If you disable all cookies, you may not be able to take advantage of all the features available on a website.
Some newer web browsers may have a "Do Not Track" preference that transmits a "Do Not Track" header to the websites you visit with information indicating that you do not want your activity to be tracked. McDonald’s does not currently take actions to respond to Do Not Track signals because a uniform technological standard has not yet been developed. We continue to review new technologies and may adopt a standard once one is created.
More information regarding how cookies and related technologies are used in a country in which you are a customer may be available in the country-specific addendum or a cookie preferences section of the online service.
Targeted advertising
When you use our online services, we (and our vendors) may collect information about your activities so that we can provide you with advertising tailored to your interests.
Because we utilize advertising (“ad”) networks, you may see certain ads on other websites. Ad networks allow us to target the information we send you based on your interests, other information related to you, and contextual means. These ad networks track your online activities over time by collecting information through use of cookies, web beacons, and other technologies. The ad networks use this information to show you advertisements that may be of particular interest to you. The ad networks we utilize may collect information about your visits to websites that also take part in the relevant ad network, such as the pages or advertisements you view and how you use the websites. We use this information, both on our online services and on third-party websites that take part in the ad networks, to provide you with advertising tailored to you, and to help us assess how effective our marketing is.
You can opt out of targeted advertising by visiting the Digital Advertising Alliance website or the Network Advertising Initiative website . If you choose to opt out, you will continue to receive advertisements, but they will not be tailored to your interests. Please refer to the country-specific addendum or a cookie preferences section of the online service for further information on your choices concerning target advertising. Moreover, depending on the type and version of the operating system of your mobile device, you may also be asked whether to enable targeted advertising.
Back to Top
7. Links to Other Websites and Social Media
Our online services may offer links to websites that are not run by us but by third parties. If you visit one of these linked websites, you should read the website’s privacy policy, terms and conditions, and their other policies. We are not responsible for the policies and practices of third parties. Any information you give to those organizations is dealt with under their privacy policy, terms and conditions, and other policies.
We may also have providers of other apps, tools, widgets and plug-ins (“Plug-Ins”) on our online services, such as Facebook “Like” buttons, which may also use automated methods to collect information about how you use these features. These organizations may use your information in line with their own privacy policies. Please see the country-specific addendum for further information on your choices concerning such Plug-Ins.
Back to Top
8. Information Security
We are committed to taking appropriate measures designed to keep your personal information secure. Our technical, organizational and physical measures are designed to protect personal information from accidental, unlawful or unauthorized loss, access, disclosure, use, alteration, or destruction. While we make efforts to protect our information systems, no website, mobile application, computer system, or transmission of information over the internet or any other public network can be guaranteed to be 100% secure.
Back to Top
9. Retention
We keep your information for the length of time needed to carry out the purposes outlined in this Privacy Statement and to adhere to our policies on keeping records (unless a longer period is needed by law). Our records policies reflect applicable laws. We will retain and use your information to the extent necessary to manage your relationship with us, personalize and improve your overall customer experience, and to comply with our legal obligations (for example, if we are required to retain your information to comply with applicable tax/revenue laws), resolve disputes, enforce our agreements, and as otherwise described in this Statement.
Back to Top
10. International Data Transfers
The McDonald’s Family is global in nature with business processes, management structures and technical systems that cross borders. As such, we may share information about you within the McDonald’s Family and transfer it to countries in the world where our vendors or members of the McDonald’s Family are established. Any international data transfers will be in accordance with this Privacy Statement and in compliance with applicable laws.
If we are established in Switzerland or in the EU/EEA or are otherwise subject to the GDPR or similar laws, we only transfer your personal information to countries that are considered by those laws to provide an adequate level of protection or otherwise where we have established or confirmed that all data recipients will provide an adequate level of data protection, in particular by way of entering into appropriate data transfer agreements based on Standard Contractual Clauses (e.g., Commission Implementing Decision (EU) 2021/914) and other suitable measures, which are accessible from us upon request.
McDonald’s Corporation and McDonald’s Global Markets LLC’s participation in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
On 16 July 2020, the European Court of Justice ruled that the Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.
Notwithstanding the above, McDonald’s Corporation and McDonald’s Global Markets LLC, a wholly-owned subsidiary, participate in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) administered by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries and Switzerland. For purposes of this Privacy Shield section only, McDonald’s Corporation and McDonald’s Global Markets LLC are each individually and collectively referred as “McDonald’s Global”. McDonald’s Global’s participation in the Privacy Shield subjects it to the investigatory and enforcement power of the Federal Trade Commission. You can view a complete list of all Privacy Shield participants, including McDonald’s Global, at the Privacy Shield participants’ page.
As a Privacy Shield participant, McDonald’s Global is committed to and has certified that it adheres to the Privacy Shield Principles for all personal information received from the European Union and Switzerland in reliance on the Privacy Shield. Please note the following:
- McDonald’s Global may share personal information that is subject to the Privacy Shield Principles with vendors who provide services to it, as described above in Section 3. McDonald’s Global may be liable under the Privacy Shield if these vendors process such personal information in a manner inconsistent with the Privacy Shield and McDonald’s Global is responsible for the event giving rise to the damage.
- McDonald’s Global may disclose personal information received in reliance on the Privacy Shield in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- You have the right to request access to personal information received by McDonald’s Global in reliance on the Privacy Shield, and to exercise choice in limiting McDonald’s Global use and disclosure of such information. If you are interested in exercising your right and choice, please contact McDonald’s Global at the address, phone number or email address below.
McDonald’s Global’ s privacy practices are provided in this Privacy Statement. McDonald’s Global encourages you to contact it at any time with questions, concerns or complaints about its privacy practices and participation in the Privacy Shield; simply use the address, phone number or email address provided below. You may also refer a complaint to your local data protection authority and McDonald’s Global will work with them to resolve your concern.
If McDonald’s Global is unable to resolve your concern regarding your personal information received by McDonald’s Global under the Privacy Shield, you have the right to direct your unresolved concern to JAMS, an independent dispute resolution service based in the United States, to provide recourse at no charge to you. To seek recourse for an unresolved concern, visit JAMS' Privacy Shield Dispute Resolution page . If JAMS is unable to resolve your concern, you may have the right to invoke binding arbitration under certain conditions. To learn more about this option, visit the Privacy Shield "How to Submit a Complaint" page.
Please note that the foregoing processes apply only to the resolution of disputes regarding personal information received by McDonald’s Global under the Privacy Shield. All other disputes that you may have with McDonald’s Global or any other members of the McDonald’s Family, or any agents, representatives, agencies, officers, directors, or employees, must be resolved in accordance with the terms and conditions of any applicable websites, mobile apps, email newsletters, email subscriptions or other digital properties owned or controlled by a member of the McDonald’s Family.
For more information about the Privacy Shield program, and to view McDonald’s Global’ s certification, please visit the Privacy Shield website.
Back to Top
11. Changes To Our Privacy Statement
This Privacy Statement is in effect as of the date noted at the top of the statement. We may change this Privacy Statement from time to time. If we do, we will post the revised version here and change the “last updated date” (the date it applies from) at the top of the statement and/or contact you directly where we deem appropriate to do so under applicable law. You should check here regularly for the most up-to-date version of the statement.
Back to Top
12. How To Contact Us
In line with our Standards of Business Conduct, we hold ourselves to ethical standards when it comes to data privacy and protection and we welcome any feedback or questions you may have concerning the collection and processing of your personal data.
Our contact details and those of our Local Data Protection Office as well as the contact details of our data protection officer, if appointed, can be found in the country-specific addendum.
The McDonald’s Global Data Protection Office can be reached at
Attention: Global Data Protection Office
Privacy at McDonald's, Dept. 282
110 North Carpenter Street
Chicago, IL 60607-2101, USA
contact.privacy@us.mcd.com
McDonald’s Corporation has appointed a data protection officer who can be reached at:
Attention: Data Protection Officer
Privacy at McDonald's, Dept. 282
110 North Carpenter Street
Chicago, IL 60607-2101, USA
contact.privacy@us.mcd.com
Back to Top
United Kingdom
Last updated: 07 March 2023
1. Data Controller
McDonald’s Restaurants Limited is the data controller for the processing of your personal information.
2. Scope of this UK Privacy Statement
This UK Privacy Statement supplements the McDonald’s Global Privacy Statement and is intended to provide additional information about how McDonald’s uses your personal information in connection with online and in-restaurant services that McDonald’s makes available in the United Kingdom (including in respect of McDonald’s website, mobile app, social media pages, email newsletters, in-restaurant ordering screens and drive thru windows) and any other personal information collected by McDonald’s which we receive from third parties such as delivery operators who share your personal information with us when you consent to receiving our marketing communications.
3. Your Personal Information Rights
You have certain rights in relation to the personal data we hold about you. In connection with these rights, you may :
- Withdraw this consent at any time, where we rely on your consent as a basis for processing your personal information. The withdrawal of the consent shall not affect the lawfulness of the processing that took place based on your consent before its withdrawal;
- Request access to your personal information and obtain a copy of it;
- Obtain your personal information in a structured, commonly used and machine-readable format and request us to transmit it directly to another company in case your personal information is processed based on your prior consent, or required for the performance of a contract;
- Have your personal information corrected when it is inaccurate or incomplete;
- Object on grounds relating to your particular situation to our processing of your personal information based on our legitimate business interest, including profiling, and to the sending of marketing communications;
- Have your personal information erased, including any links to, copy or replication of such information, in certain circumstances, such as where we no longer need it or if you withdraw your consent (where applicable); and
- Obtain the restriction of the processing while we are processing your request or challenge the accuracy of your personal information or the lawfulness of the processing of your personal information and our legitimate interests to process this information, or if you need the personal information for litigation purposes.
You may exercise these rights free of charge by clicking here. However, subject to the applicable law, McDonald’s may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, for example if the same request is made repetitively. In some situations, McDonald’s may refuse to act or impose limitations on the information disclosed if, for instance, the disclosure is likely to adversely affect the rights and freedoms of others, prejudice the execution or enforcement of the law, or interfere with pending or future litigation.
You also have the right to lodge a complaint about our processing of your personal information with the Information Commissioner's Office, which is the Supervisory Authority in the UK. Contact details are as follows: https://ico.org.uk/concerns/ or 0303 123 1113 or casework@ico.org.uk
4. Children’s Privacy
Our policy is to not collect personal information from any child unless data is needed for a specific activity or as a result of exceptional circumstances, in which event we will ensure that the child's parent or guardian has first provided us with written consent to that specific activity or that we have another lawful basis for collecting the personal information.
5. Cookies and Other Technologies
A copy of McDonald’s UK cookies policy can be found here.
6. Purposes for which we process your personal information
a) To carry out online advertising
We may share your personal information with third party advertising technology companies (“Advertising Partners”) so that we can advertise to our customers and other people on websites apps and digital properties that are operated by the Advertising Partners or third parties that also work with our Advertising Partners (“Third Party Sites”). Our Advertising Partners include Meta, Snap, Twitter, and Google.
We carry out the following online advertising activities:
- Customer Match Advertising on Third Party Sites
We may share your email address or other identifiers (e.g. your device ID) with our Advertising Partners, so that our Advertising Partners can try to “match” your data with their data or the registration data of Third Party Sites.
Where there is a match, our advertising will be displayed to you when you use the relevant Third Party Site (e.g. on your Facebook newsfeed). This is known as “custom audience” advertising, because we “customise” the audience that we want to reach on other online services.
We may also share your personal information with Advertising Partners in order to exclude you from seeing our advertising (because we are trying to reach people that are not yet our customers).
We will only do this activity where we have appropriate permission (for example, where you have given us permission to track you through your app settings).
- Using cookies and other similar technologies
We and our Advertising Partners may use cookies and other similar technologies on McDonald’s online services to recognise you, and to display our advertising to you, when you visit Third Party Sites.
Where your data is collected through the use of non-essential cookies, we rely on consent to collect your personal data and for the onward processing purpose. Please see the “Cookies and Other Technologies” section for more information about the cookies and other similar technologies that we use. In certain circumstances, we may rely on another lawful basis when we use your personal data collected via the use of cookies as detailed in the relevant section.
- Lookalike Advertising on Third Party Sites
Where we share your personal information with Advertising Partners as described in this section, we may also ask the Advertising Partner to find other people that share similar interests and behaviours to you, and to show our advertising to those people when they use Third Party Sites. We will only share this personal information where we have appropriate permission (for example, where you have given us permission to track you through your app settings).
This is based on personal information that you have provided through your use of Third Party Sites (which may include Third Party Sites of the Advertising Partner). This personal information might include demographic data (such as your age or gender) and interest-based data (things that you like). This personal information is not shared with us.
To the extent we are a controller of this personal information, we consider it is in our legitimate interest to use this personal data in this way to increase the effectiveness of our advertising by displaying our ads on individuals who share similar interests and characteristics to our customer base.
- Using tools made available by Advertising Partners
Advertising Partners may provide tools that we can use to deliver our advertisements to people who we think are more likely to be interested in our products and services.
For example, an Advertising Partner may have determined that you are a ‘coffee-lover’ using data that they have collected about you through your use of Third Party Sites (which may include Third Party Sites of the Advertising Partner). If we want to display a McCafé advertisement to coffee lovers, the Advertising Partners that we work with may allow us to show our advertisement to you using selection tools that they make available. The personal information that is used for this is not shared with us.
To the extent we are a controller of this personal information, we consider it is in our legitimate interest to use this personal data in this way to ensure our advertising is relevant to those receiving it.
- Measuring the effectiveness of our online advertising
We and the Advertising Partners that we work with may use your personal information, cookies, and other similar technologies on McDonald’s online services to measure the effectiveness of our advertising. Where we use personal data collected through the use of cookies to measure the effectiveness of our advertising, it is in our legitimate interest to use your personal data in such a way to inform our advertising strategy.
Please see the “Cookies and Other Technologies” section for more information about the cookies and other similar technologies that we use.
In addition, when you see our advertisements on Third Party Sites, the Third Party Sites and Advertising Partners that we work with may separately collect personal information about your interaction with our advertisements, which is used to provide us with aggregated statistics and reports (which do not contain your personal information) to help to measure the effectiveness of our advertising.
Sometimes the advertising that we show to you may be personalised to you. Please see the “Personalising your McDonald’s experience” section for further information.
For some of the activities referred to in this section, we may be joint controllers with some of our Advertising Partners and the use of your personal information may also be subject to the privacy policies and practices of our Advertising Partners and choices that you have made on Third Party Sites. Please see the “Our Advertising Partners’ Platforms” section below for further information.
b) Our Facebook Page
When you visit our Facebook Page, Facebook Ireland will collect insights data and will process such insights data as described here. Facebook does not share your personal information with us for this purpose, but they may provide us with aggregated statistics about your use of our Facebook Page.
c) CCTV
CCTV is used in McDonald’s restaurants for the following legitimate business interests:
- To prevent and detect crime, disorder, and misconduct, and to protect McDonald’s systems, facilities, and property against damage, disruption, vandalism, fraudulent activity, and other crime (including detecting fraudulent use or misuse of customer-facing services, such as MyMcDonald’s Rewards);
- To assist law enforcement in the prevention, investigation, detection, and prosecution of crime;
- To provide evidence in the event of legal proceedings issued by or bought against McDonald’s; and
- To assist in day-to-day management of restaurants and offices, including for health and safety purposes.
McDonald’s also captures your image if you are using our drive thru, at the time you place an order. This is not permanently saved onto any device. Instead, it is displayed on the cashier’s till in the drive thru window and is then automatically deleted within 30 minutes of the sale being completed. The image captured will generally include only the head and shoulders of the individual making the order and is captured for McDonald’s legitimate business interests to ensure that the completed food and beverage order is passed to the same person who placed the order.
d) Customer Services
We may monitor, record, store, and use any telephone, email, or other communication with you in order to check any instructions given to us, for training purposes, and to improve the quality of our customer service. It is in our legitimate interests to use your personal information for this purpose.
e) Bringing and defending legal claims – sharing with our insurer
We may share your personal information with our insurance brokers, Artex Risk Solutions (UK) Limited (trading as Artex Risk Solutions, “Artex”), where necessary to bring or defend legal claims and/or to protect the rights, interests, safety, and security of our organisation, our employees, franchisees, or members of the public. Amber uses the information in accordance with its privacy notice located at https://www.artexrisk.com/privacy-notice/. To exercise your rights in relation to Artex’s processing of your personal information, please contact Artex directly as set out in section 9 (“Contact us”) of Artex’s privacy notice.
It is in our legitimate interest to bring and defend legal claims and to use your personal information for this purpose.
f) Fraud Detection and Prevention
We may share your personal information with suppliers who help to protect you and McDonald’s from fraud. One such supplier is Sift Science, Inc. (“Sift”) which uses the information as a controller for the benefit of McDonald’s and others in accordance with its privacy notice located at https://sift.com/service-privacy. To exercise your rights in relation to Sift’s processing of your personal information, please contact Sift directly as set out in Part VI (“How to contact us”) of Sift’s privacy notice.
It is in our legitimate interest to ensure that we and you are not subject to fraud and for us to use your information for this purpose.
g) Prize promotions (including competitions, draws and instant win offers)
If you win a major prize through our prize promotions, we may be required, by self-regulatory codes that we are subject to, to publish or make available personal information to demonstrate that a valid award took place. Such information will typically include your surname and the county where you live but may include other personal information relating to the prize promotion. You are entitled to object to us sharing your personal information for this purpose (see ‘How to Contact McDonald’s UK' below), but we may still provide this to self-regulatory bodies (such as the Advertising Standards Authority) on request.
It is in our legitimate interests to use your personal information in this way to ensure that our prize promotion is administered fairly and effectively, and to ensure that we comply with self-regulatory codes.
h) Covid-19 Contact Tracing
In line with government guidance and our legal obligations, we support official contact tracing initiatives. Contact tracing allows people who may have been close to someone who has tested positive for COVID-19 to be made aware of that fact so that they can self-isolate. It is a key part of the ongoing COVID-19 response and can help break infection chains.
Government guidance and regulation is subject to change based on the current state of the pandemic, and requirements may vary depending on where the restaurant that you are visiting is located. Where contact tracing is legally required, you may not be allowed to enter or eat in a restaurant if you do not participate in contact tracing initiatives. Contact tracing may involve:
- Completing an online COVID-19 Registration Form with contact details and information about your visit; and
- Using official contact tracing apps, where these are available and where they meet local contact tracing requirements. Please note that we do not receive personal information when you use official contact tracing apps.
If you are asked to fill in our COVID-19 Registration Form, we set out below details of the information that we may collect and how we use it.
Information we may collect
When you eat in our restaurants, we may collect your name, phone number, restaurant number (details provided at your table), time you arrived at our restaurant, how long you plan to stay, and the number of people in your group. We automatically capture the date and time that you accessed the form (which will be used as the date and time that you visited our restaurant).
If you are in a group of two or more people: Only one of you needs to provide your details (unless local requirements require all members of the group to complete the form), but that person should also tell us how many people were with them. If you are the person completing the form, please keep a note of the name and contact details of those who accompany you. We will not ask for the details of the other person(s) but, if you are contacted by public health authorities, they will ask you to provide this information so that they can contact everyone who was with you.
If you are under the age of 16: If you are in a group, please ask someone in your group who is over the age of 16 to complete the registration form (unless local requirements require minors to complete the form). If you are on your own or if all of the people in your group are under the age of 16, please provide the phone number of a parent or guardian instead of your own number.
Using, storing, and sharing this information
We use the information that we collect for contact tracing purposes only. Here is how contact tracing works:
If you or a person who has been in a restaurant at the same time as you later tests positive for COVID-19, the relevant national health authority may contact us to ask us to share with them the record of our customers who also ate in the same restaurant at the same time as the COVID-19 positive person. We will supply that authority with the information that you gave us via our COVID-19 Store Registration Form, so that it can notify you and other customers as it deems appropriate.
If you are contacted by a public health authority and/or contact tracing scheme, and you are asked to provide any personal information, you should ensure that the caller is genuine. You should be cautious that fraudsters or scammers could seek to obtain information from you by pretending to be a contact tracing agency, and you should not be required to provide your bank or other financial details to a genuine caller.
We will not share your information with anyone else and we will not use it for any other purpose. We will only hold the information for a short period of 21 days after which it will be securely deleted.
For further information about contact tracing in the UK, please see the following:
· England: https://contact-tracing.phe.gov.uk/help/privacy-notice
· Scotland: https://www.informationgovernance.scot.nhs.uk/use-of-your-data-for-track-trace-isolate-tti/
· Wales: http://www.wales.nhs.uk/traceprivacyanddataprotectioninformation
· Northern Ireland: https://www.publichealth.hscni.net/covid-19-coronavirus/testing-and-tracing-covid-19
It is in our, our customers’, and the public health authorities’ legitimate interests that we participate in contact tracing schemes, in particular to contribute to efforts to break COVID-19 infection chains and protect our communities. Depending on your location and the current restrictions that are in force, we may also be legally required to participate in contact tracing schemes and/or obtain your contact details for contact tracing purposes.
i) MyMcDonald’s Rewards
MyMcDonald’s Rewards is our points based loyalty scheme, where you can receive bonuses or offers and earn rewards that can be redeemed in certain restaurants and via the McDonald’s app. Use of MyMcDonald’s Rewards is subject to separate MyMcDonald’s Rewards Terms (UK) (“Reward Terms”). You can find out more about MyMcDonald’s Rewards here.
When you sign up to MyMcDonald’s Rewards, we obtain your consent to use your personal information to personalise your McDonald’s experience. For more information about the personal information that we use, and how we use it to personalise your McDonald’s experience, including for MyMcDonald’s Rewards, please see the “Personalising your McDonald’s experience ” section. You can withdraw your consent by deleting your customer account (see “Closing your MyMcDonald’s Rewards account” in the Reward Terms).
In addition, we will use your personal information, including your registration data, order history, and details of offers and rewards that you have received and redeemed, to:
- administer and manage your MyMcDonald’s Rewards account, including to respond to any queries that you have in respect of your account; and
- monitor compliance with the Reward Terms, and to protect you and us against fraudulent activity, including to detect any suspicious activity concerning your MyMcDonald’s Rewards account and/or the improper receipt or redemption of points or rewards. See the “Your compliance with the Reward Terms” section of the Reward Terms for further information.
It is in our and your legitimate interests to use your personal information for these purposes, so that we can provide MyMcDonald’s Rewards to you in an effective manner and to protect you and us against fraudulent activity.
j) Personalising your McDonald’s experience
We want to ensure that you have the best possible experience when using McDonald’s and interacting with us. To do this, we may use your personal information to tailor our products and services to you, including as follows:
- MyMcDonald’s Rewards: If you are signed-up to MyMcDonald’s Rewards, we will use your personal information to personalise the offers and rewards that you receive. You can find out more about MyMcDonald’s Rewards here. Please note, if we do not have your consent for this, we will not be able to provide MyMcDonald’s Rewards to you.
- Personalised marketing: If you receive marketing from us (for example where you have subscribed to receive our email marketing) we may use your personal information to tailor the communications that we send to you. This means that the marketing communications are more likely to be relevant and of interest to you.
- Personalised advertising: If we deliver online advertising to you on Third Party Sites (see the “To carry out online advertising” section), we and Advertising Partners that we work with may use your personal information to tailor the advertising that you see. This means that the advertising is more likely to be relevant and of interest to you. Please note, if we do not have your consent for this, you may still see our advertisements on Third Party Sites but they may be about products and services that do not interest you.
- Personalising our in-restaurant services: We want to provide you with personalised product recommendations when you use our in-restaurant services. We will do this if you are signed-up to MyMcDonald’s Rewards and if you identify yourself at our ordering screens or at the drive thru (available at select locations only). If you are not signed-up to MyMcDonald’s Rewards or do not identify yourself as described in this section, we will not personalise our in-restaurant services to you, but you may still receive non-personalised product recommendations which may be of less interest to you (for example, if it is sunny, we might recommend a McFlurry to you).
To personalise your experience in the manners described above, we use your order history and data relating to your use of our services. This includes analysing your use of the McDonald’s app (such as pages viewed and products added to your basket), actions that you take in relation to rewards and offers (such as whether you redeem offers), and your interaction with our marketing communications. We do this to learn more about you and to make predictions about your individual preferences. In some cases, the data that we use may be collected using cookies and similar technologies.
We will only personalise your experience in the manners described above with your consent, which we will obtain in the following ways:
- When you sign up to MyMcDonald’s Rewards, we will ask for your consent to use your personal information to personalise your MyMcDonald’s Rewards experience and to receive personalised marketing and advertising from us. If you do not provide your consent or you later withdraw it (see the “MyMcDonald’s Rewards” section for details of how to withdraw your consent), we will not be able to provide MyMcDonald’s Rewards to you and we will not personalise the marketing that we send to you. In other words, if you are not signed up to MyMcDonald’s Rewards, any marketing communications that you receive (including email marketing that you are subscribed to) will not be tailored to you and may be of less interest to you.
- We may seek other consents from you from time to time to personalise other specific activities. For example:
The only time we will not obtain consent for personalisation is if you have already engaged with us prior to the launch of MyMcDonald’s Rewards, but do not signup to MyMcDonald’s Rewards, we will continue for a transitional period of time to personalise our marketing and advertising to you in the manner described above, unless you opt out. Where we process your personal information for personalisation in this way during this transitional period, we will rely on our legitimate interest to ensure your McDonald’s experience is as tailored as possible to do so.
7. McDelivery
If you place a McDelivery order through the McDonald’s app, your personal information will be shared with our McDelivery partner, Uber B.V. (trading as “Uber Eats”).
Uber Eats will process your personal information for the following limited purposes in connection with your McDelivery order:
- to process and deliver your McDelivery order;
- to enable communications between you and the rider delivering your McDelivery order;
- for customer support;
- for fraud prevention;
- to enhance the safety and security of you and the rider delivering your McDelivery order;
- to improve and develop Uber Eats services.
Uber Eats are a controller of your personal information for the above purposes, but Uber Eats will not process your personal information for purposes other than those that are set out above, including for any marketing purposes.
The personal information that Uber Eats use for the above purposes include your name, address, contact details (email address and phone number) and details of your McDelivery order (including the journey of the rider delivering your order). It is necessary to process your personal information for the above purposes to perform a contract with you, or it is otherwise in our or Uber Eats’ legitimate interests to use your personal information in this way, to ensure that McDelivery orders are handled effectively and to ensure the integrity of our and Uber Eats’ services.
Please see the Uber Eats Privacy Notice for more details about how Uber Eats uses your personal information for McDelivery purposes. To exercise your rights in relation to Uber Eats’ processing of your personal information, please contact Uber Eats directly as set out in the Uber Eats Privacy Notice.
We will process personal information in relation to your McDelivery order in accordance with the other sections of this Privacy Statement”.
8. Our Advertising Partners’ Platforms
In this section we provide further information about the Advertising Partners’ Platforms that we work with, and how these Advertising Partners use your data, in connection with the activities described in the “To carry out online advertising” section.
a) Meta
We are joint controllers with Facebook Ireland Limited (“Meta”) in respect of some of the activities described in the “To carry out online advertising” section, where these activities involve advertising to you on Facebook.
We and Facebook have entered into Facebook’s Controller Addendum (available here) to determine our and Facebook’s respective responsibilities for compliance with data protection obligations in respect of these activities. We are responsible for providing the information set out in the “To carry out online advertising” section. Facebook is responsible for giving effect to your data subject rights (see the “Your rights as a data subject” section) in respect of these activities.
For further information about how we and Facebook use your personal information in connection with these activities, including the legal basis Facebook relies on and the ways to exercise your data subject rights against Facebook, please see Facebook’s Data Policy at https://www.facebook.com/about/privacy.
b) Google
Google has published information about how it uses your personal information in connection with its services here. In addition, Google provides further information about how it uses personal information in connection with online advertising in its Privacy Policy and here. You can also use Google’s Ad Settings to manage your online advertising preferences.
c) Twitter
Twitter has published information about how it uses your personal information in connection with its advertising services, including how you can opt-out of Twitter’s interest-based advertising, here.
d) Snap
Snap has published information about your advertising and interest preferences when you use their services, including how you can opt-out of audience match (or referred to as customer match) advertising, here.
9. International Data Transfers
We may transfer your personal information to countries that do not have laws which adequately protect your personal information. In such cases, we take measures (such as standard data protection clauses) to ensure that your personal information receives adequate protection. If you have any questions about these measures or if you want to obtain a copy of the standard contractual clauses we use to safeguard personal information we transfer, please contact us using the contact information provided below.
10. How to Contact McDonald’s UK
If you have data protection questions specific to McDonald’s UK, you can reach us via our website at https://gdpr-mcdonalds.zendesk.com/hc/en-gb or by writing to us at:
Attention: Data Protection Office
McDonald's Restaurants Limited
Customer Services
11-59 High Road
East Finchley
London N2 8AW
UK