McDonald’s Global Privacy Statement
Last updated: 13th August 2020
This privacy statement describes how McDonald’s in the countries listed below – collect, use, protect and share the personal information of our customers. Customers include those who visit our restaurants, use our websites and mobile apps, and otherwise interact with us.
Some of the countries in which we operate have laws that require us to share specific privacy information with our customers in those countries. As such, this privacy statement is comprised of two sections – a globally applicable statement and country specific addendum.
This initial section describes how McDonald’s collects, uses, protects and shares customer information. Where there are variations for a specific country or additional information that is required to be provided under applicable country law, please refer to the applicable country specific addendum (clicking on a country will take you to the country specific addendum):
The data controller of your personal information is the McDonald’s entity in the jurisdiction where your personal information is collected. Please note that in some countries, there may be an additional entity that is the data controller. Please refer to the applicable country specific addendum for more information regarding the data controller of your personal information.
If you are a customer in a country not listed above, please visit the country’s McDonald’s website for the applicable privacy statement. You can find McDonald’s country websites here
Many of our restaurants are owned and operated by franchisees, who are independent businessmen and women. This privacy statement does not apply to our franchisees or to websites or mobile apps they operate. Please see our franchisees’ privacy notices for information on how they use customer information.
- Information WeCollect
- How We Use the Information We Collect
- How We Share the Information We Collect
- Children's Privacy Notice
- Your Choices
- Use of Our Online Services and Other Technology
- Links to Other Websites and Social Media
- Information Security
- International Data Transfers
- Changes To Our Privacy Statement
- How to Contact Us
We may collect personal information about you when you visit our restaurants, use our websites or mobile apps (“online services”), and otherwise interact with us (collectively, “services”). The information we collect falls into three categories: (a) information you provide us; (b) information we collect through automated methods, and (c) information we collect from other sources.
Generally, your providing of your personal information is voluntary. However, there may be situations where your providing of personal information is necessary to provide a service or is required by law. Please note that in certain cases, we may be unable to provide you with our services unless you provide the information. We will let you know when the providing of your personal information is necessary.
We may combine the information you provide us, with information that is collected through automated methods, and with information we receive from other sources.
We collect information you provide us
You may provide the following information to us, depending on how you interact with us:
- personal details, such as your name, postal and email addresses, phone number, birthday information and other contact information, when you register with our online services, log-in to Wi-Fi, enter one of our competitions, or contact us by phone or through our online services;
- transaction information, including information about the products you buy, prices, method of payment and payment details;
- account information, such as your username or password (or anything else that identifies you) used to access our online services or to buy or use our products and services;
- profile information, including products and services you like, or times you prefer to visit us; and
- other personal information you choose to provide us when you interact with us.
We collect information through automated methods
We may use automated technology to collect information from your computer system or mobile device when you visit our restaurants, use our online services, or in-restaurant technology. Automated technology may include cookies, local shared objects, and web beacons. There is more information below about cookies and other technologies in Section 6.
We may collect information about your:
- internet protocol (IP) address;
- date and time of access of our online services or in-restaurant technology;
- name and URL of the file retrieved when you use our online services;
- computer or mobile-device operating system and browser type;
- type of mobile device and its settings;
- unique device identifier (UDID) or mobile equipment identifier (MEID) for your mobile device;
- device and component serial numbers;
- advertising identifiers (for example, IDFAs and IFAs) or similar identifiers;
- referring website (a site that has led you to ours) or application; and
- activity related to how you use our online services, such as the pages you visit on our sites or in our mobile apps.
Our online services and in-restaurant technology may collect information about the exact location of your mobile device or computer using geolocation and technology such as GPS, Wi-Fi, Bluetooth, or cell tower proximity. For most mobile devices and computer systems, you will be requested to give your permission for McDonald’s to process this information. You are able to withdraw your permission for us to collect this information by using the device or web-browser settings. If you have any questions about how to prevent us from collecting exact information about your location, we recommend you contact your mobile-device service provider, the device manufacturer, or your web-browser provider. Some online services and in-restaurant technology may not work properly without information about your location. If you would like us to delete information we have collected which could identify your location, please contact us at our Global or Local Data Protection Office using the contact information provided below. By law, we may need to keep certain information.
We collect information from other sources
We may collect information about you from other companies and organizations, including public databases, social media platforms, or third party partners such as analytics or marketing providers. We may also collect information that is publicly available. For example, we may collect public profile information about you when you interact with us through social media. We may also collect communications to us or regarding us on social media.
We may combine the information you provide us, with information that is collected through automated methods, and with information we receive from other sources.
We may use the information we collect in the following ways.
To provide our services and contract with you:
- carry out your requests, fulfill orders, and process payments for our products and services;
- communicate with you about your orders, purchases or accounts with us, requests, questions, and comments;
- provide online services to you, which includes our websites or mobile apps; and
- provide customer support, including to process any concerns about our services.
To market to you, improve our services, and the following additional legitimate business interests:
- tell you about our products and services, competitions, offers, promotions or special events that we believe may interest you;
- tell you about the products and services of our business partners;
- personalize your experience in our restaurants and on our online services;
- manage our business, including developing new products and services, conducting consumer and operations research, and assessing the effectiveness of our sales, marketing, and advertising;
- use analytics and profiling technology to personalize your experience, deliver content (including advertising) tailored to your interests and how you use our online services or in-store technologies, manage our business, help diagnose technical and service issues, administer our online services and in-store technologies, identify users of our online services, identify a device for fraud prevention purposes, gather demographic information about our customers, and determine usage patterns of our services;
- maintain, manage, and improve our products, offers, promotions, and online services and other technology;
- ensure the security of our networks and systems.
To comply with applicable law:
- protect against, identify and prevent fraud and other crime, claims and other liabilities;
- comply with legal obligations and our policies;
- establish, exercise or defend a legal claim; and
- monitor and report compliance issues.
With your consent (where required by applicable law), we may use the information we collect for the following purposes:
- to send you e-mails or text messages about our products and services, competitions, offers, promotions or special events that we believe may interest you;
- to send you e-mails or text messages about the products and services of our business partners;
- provide location-based services;
- provide online services to children (if parental consent is provided);
- deploy cookies and similar technologies; and
- provide online services to you, which includes our websites or mobile apps.
We may use the information we collect about you in other ways, which we will tell you about at the time we collect it or for which we will seek your consent.
We do not sell your personal information and only share your information as described in this privacy statement.
We may share your personal information within the McDonald's Family. The McDonald's Family includes McDonald’s Corporation, our affiliates, our subsidiaries, and our franchisees. A list of these entities, or where you can find more information, is available here. Members of the McDonald’s Family who receive this information from us are not authorized to use or share the information, except as set out in this privacy statement.
We may share your personal information with vendors who provide services to us, such as fulfilling orders, providing data processing and other information technology services, managing promotions, contests, prize draws and sweepstakes, carrying out research and analysis, and personalizing individual McDonald’s customer experiences. We do not allow these vendors to use this information or to share it for any purpose other than to provide services on our behalf.
We may, for strategic or other business reasons, decide to sell or transfer all or part of our business. As part of that sale or transfer, we may pass information we have collected and stored, including personal information, to anyone involved in the sale or transfer.
There may be times where we may share information when it does not directly identify you. For example, we may share anonymous, aggregated statistics about your use of our online services. Or we may combine information about you with other customers and share the information in a way that does not link to a specific customer.
We have the right to use or share personal information as necessary to keep to any law, regulation or legal request, to protect our online services and in-restaurant technology, to bring or defend legal claims, to protect the rights, interests, safety and security of our organization, our employees or franchisees, or members of the public, or in connection with investigating fraud or other crime, or violations of our policies.
We understand how important it is to protect your privacy when you use our online services. We are especially committed to protecting the privacy of children who visit or use our online services. For more information on how a specific country protects children’s privacy, please see the country specific addenda below.
We urge parents to regularly monitor and supervise their children's online activities. If you have any questions about our children’s privacy practices, please contact us at our Global or Local Data Protection Office using the contact information provided below. If you are contacting a Local Data Protection Office, please choose the office in the country in which you are a customer.
If you have agreed to receive marketing communications from us, you can later opt out by following the opt-out instructions in the marketing communications we send you. You can also generally find your communication preferences with instructions on how to opt out in the profile section of the online services that you use. You may also have the ability to change your communication preferences using your device settings. You can also opt out by contacting us at our Global or Local Data Protection Office using the contact information provided below. If you are contacting a Local Data Protection Office, please choose the office in the country in which you are a customer.
If you do opt out of receiving marketing communications from us, we may still send communications to you about your transactions, any accounts you have with us, and any contests, competitions, prize draws or sweepstakes you have entered. Opting out of one form of communication does not mean you have opted out of other forms as well. For example, if you opt out of receiving marketing emails, you may still receive marketing text messages if you have opted in to receiving them. Please note that if you are receiving communications from a McDonald’s franchise, then you will need to opt out from them directly.
We do not share personal information with third parties for their own direct marketing purposes, unless you give us permission to do so. When we give you notice, and you consent, we will share your personal information as you direct us to.
Your Personal Information Rights
In certain countries, individuals are entitled to the right to access, correct, transmit, restrict, delete and object to processing of the personal information we have collected. In these certain countries, individuals are also entitled to withdraw consent to processing of personal information. For more information regarding these rights, and the countries where these rights are available, please see the country specific addenda below. You can also visit the GDPR Rights Center.
Cookies and other technologies
A “cookie” is a small text file that is placed onto an Internet user’s web browser or device and is used to remember and/or obtain information about the user. Some countries in which we operate may have a cookies policy. That specific information, by country, is provided below.
A “web beacon” is a small object or image that is embedded into a web page, application, or email and is used to track activity. They are also sometimes referred to as pixels and tags.
Please note the following:
- You might be assigned a cookie when using our online services.
- We may use both session (for the duration of your visit) and persistent (for the duration of a fixed period of time) cookies and other tracking technologies.
- Our online services and other areas related to our business may have web beacons.
We may use these technologies to:
- uniquely identify you or your device;
- allow you to access and use our online services, where without them, our online services may not work properly;
- further system security where appropriate;
- statistical purposes, in order to measure use of our websites and mobile apps;
- improve our products and services;
- help us monitor the performance (e.g., traffic, errors, page load time, popular sections, etc.) of our online services;
- remember you, for your convenience, when you visit our online services
- help customize your experience;
- to market to you through targeted advertising; and
- for other purposes described in the section of this privacy statement titled, “How we use the information we collect.”
For example, we may use certain technologies to determine whether you have opened an e-mail or clicked on a link contained in an e-mail, how you use the pages and content in our mobile apps, or whether you have clicked on a McDonald’s online advertisement.
Both we and others (such as our advertising networks) may use these technologies to collect information about your online activities, over time and across third-party websites and devices, and when using our online services to further personalize your experience with us.
Use the options in your web browser if you do not wish to receive a cookie or if you wish to set your browser to notify you when you receive a cookie. Click on the “Help” section of your browser to learn how to change your cookie preferences. If you disable all cookies, you may not be able to take advantage of all the features available on a website.
Some newer web browsers may have a "Do Not Track" preference that transmits a "Do Not Track" header to the websites you visit with information indicating that you do not want your activity to be tracked. McDonald’s does not currently take actions to respond to Do Not Track signals because a uniform technological standard has not yet been developed. We continue to review new technologies and may adopt a standard once one is created.
Where video is available on our online services, we may target and track the videos you view. You consent to our tracking of your video viewing through online services or third-party social media for up to two years, or as otherwise permitted by applicable law, or until you withdraw your consent.
More information regarding how cookies and technology are used in a country in which you are a customer may be available in the country specific addenda.
When you use our online services, we (and our vendors who provide services to us) may collect information about your activities so that we can provide you with advertising tailored to your interests.
You can opt out of targeted advertising by visiting www.aboutads.info/choices or www.networkadvertising.org/managing/opt_out.asp . If you choose to opt out, you will continue to receive advertisements but they will not be tailored to your interests.
We may also have providers of other apps, tools, widgets and plug-ins on our online services, such as Facebook “Like” buttons, which may also use automated methods to collect information about how you use these features. These organizations may use your information in line with their own policies.
We are committed to taking appropriate measures designed to keep your personal information secure. Our technical, organizational and physical procedures are designed to protect personal information from accidental, unlawful or unauthorized loss, access, disclosure, use, alteration, or destruction. While we make efforts to protect our information systems, no website, mobile application, computer system, or transmission of information over the internet or any other public network can be guaranteed to be 100% secure.
We keep your information for the length of time needed to carry out the purposes outlined in this privacy statement and to adhere to our policies on keeping records (unless a longer period is needed by law). Our records policies reflect applicable laws. We will retain and use your information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your information to comply with applicable tax/revenue laws), resolve disputes, enforce our agreements, and as otherwise described in this statement.
McDonald’s is a global organization with business processes, management structures and technical systems that cross borders. As such, we may share information about you within the McDonald’s Family and transfer it to countries in the world where we do business in connection with the uses identified above. Any international data transfers will be in accordance with this Privacy Statement and in compliance with applicable laws. Some countries in which we operate may have requirements pertaining to international data transfers. That specific information, by country, is provided below in the country specific addenda.
McDonald’s Corporation participation in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
McDonald’s Corporation participates in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) administered by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries and Switzerland. McDonald’s Corporation’s participation in the Privacy Shield subjects it to the investigatory and enforcement power of the Federal Trade Commission. You can view a complete list of all Privacy Shield participants, including McDonald’s Corporation, at https://www.privacyshield.gov/list.
As a Privacy Shield participant, McDonald’s Corporation is committed to and has certified that it adheres to the Privacy Shield Principles for all personal information received from the European Union and Switzerland in reliance on the Privacy Shield. Please note the following:
- McDonald’s Corporation may share personal information that is subject to the Privacy Shield Principles with vendors who provide services to it, as described above in Section 3. McDonald’s Corporation may be liable under the Privacy Shield if these vendors process such personal information in a manner inconsistent with the Privacy Shield and McDonald’s Corporation is responsible for the event giving rise to the damage.
- McDonald’s Corporation may disclose personal information received in reliance on the Privacy Shield in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- You have the right to request access to personal information received by McDonald’s Corporation in reliance on the Privacy Shield, and to exercise choice in limiting McDonald’s Corporation use and disclosure of such information. If you are interested in exercising your right and choice, please contact McDonald’s Corporation at the address, phone number or email address below.
McDonald’s Corporation’s privacy practices are provided in this Privacy Statement. McDonald’s Corporation encourages you to contact it at any time with questions, concerns or complaints about its privacy practices and participation in the Privacy Shield; simply use the address, phone number or email address provided below. You may also refer a complaint to your local data protection authority and McDonald’s Corporation will work with them to resolve your concern.
If McDonald’s Corporation is unable to resolve your concern regarding your personal information received by McDonald’s Corporation under the Privacy Shield, you have the right to direct your unresolved concern to JAMS, an independent dispute resolution service based in the United States, to provide recourse at no charge to you. To seek recourse for an unresolved concern, please click here. If JAMS is unable to resolve your concern, you may have the right to invoke binding arbitration under certain conditions. To learn more about this option, click here.
Please note that the foregoing processes apply only to the resolution of disputes regarding personal information received by McDonald’s Corporation under the Privacy Shield. All other disputes that you may have with McDonald’s Corporation or any other members of the McDonald’s Family, or any agents, representatives, agencies, officers, directors, or employees, must be resolved in accordance with the terms and conditions of any applicable websites, mobile apps, email newsletters, email subscriptions or other digital properties owned or controlled by a member of the McDonald’s Family.
For more information about the Privacy Shield program, and to view McDonald’s Corporation’s certification, please visit the Privacy Shield website.
This privacy statement is in effect as of the date noted at the top of the statement. We may change this privacy statement from time to time. If we do, we will post the revised version here and change the “last updated date” (the date it applies from) at the top of the statement. You should check here regularly for the most up-to-date version of the statement.
You can contact us at any time about McDonald’s privacy practices at our Global or Local Data Protection Offices. Our Local Data Protection Offices can assist with country-specific queries or information. Contact information for our Local Data Protection Offices can be found in the country specific addenda.
Global Data Protection Office
Attention: Global Data Protection Office
Privacy at McDonald's, Dept. 282
110 North Carpenter Street
Chicago, IL 60607-2101, USA
Last updated: 7 August 2020
McDonald’s Restaurants of Ireland Limited is the data controller for the processing of your personal information.
Your Personal Information Rights
In connection with your personal information rights, you may request the following:
- Where processing your personal information is based on your consent you may withdraw this consent at any time; the withdrawal of the consent shall not affect the lawfulness of processing based on consent before its withdrawal;
- Request access to your personal information and obtain a copy of it;
- Obtain your personal information in a structured, commonly used and machine-readable format and request us to transmit it directly to another company in case your personal information is processed based on your prior consent, or required for the performance of a contract;
- Have your personal information corrected when it is inaccurate or incomplete;
- Object on grounds relating to your particular situation to our processing of your personal information based on our legitimate business interest, including profiling, and to the sending of marketing communications;
- Have your personal information erased, including any links to, copy or replication of such information, as permitted under applicable law; for instance, when your information is outdated, not necessary or unlawful or when you withdraw your consent to our processing based on such consent, or when you successfully object to our processing;
- Obtain the restriction of the processing while we are processing your request or challenge pertaining to the accuracy of your personal information or the lawfulness of the processing of your personal information and our legitimate interests to process this information, or if you need the personal information for litigation purposes.
You may exercise these rights free of charge by contacting us via https://customerservices.mcdonalds.co.uk/hc/en-gb/requests/new. However, subject to the applicable law, McDonald’s may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, in particular because of its repetitive character. In some situations, McDonald’s may refuse to act or impose limitations on the information disclosed if, for instance, the disclosure is likely to adversely affect the rights and freedoms of others, prejudice the execution or enforcement of the law, or interfere with pending or future litigation.
You also have the right to lodge a complaint about our processing of your personal information with the Data Protection Commissioner, which is the Supervisory Authority in Ireland, by e-mailing firstname.lastname@example.org
Children’s Privacy Notice
Our policy is not to collect personal information from any child under 13 unless for a specific activity where the child's parent or guardian has first provided us with written consent to that specific activity.
Cookies and Other Technologies
A copy of McDonald’s UK cookies policy can be found here.
Facebook Custom Audiences
Where you are a registered user of Facebook, we will use your email address in an encrypted format to match with your Facebook profile so that we can provide you with personalised advertising on Facebook.
Please note that such activity is also subject to the privacy choices you have elected to make on Facebook.
Facebook Lookalike Audiences
Where you are a registered user of Facebook, we will use your email address in an encrypted format to enable Facebook to find other registered users of their services that share similar interests to you based on:
- information that we observe about you from your interactions with our Services, or when you visit one of our restaurants; and
- the information Facebook holds about you.
CCTV is used in McDonald’s restaurants for the following legitimate business interests:
- To prevent and detect crime and disorder;
- To assist in the apprehension of offenders;
- To provide evidence in the event of legal proceedings by or against McDonald’s;
- To ensure restaurants are being run in a safe manner;
- To ensure operational effectiveness.
McDonald’s also captures your image if you are using our drive thru, at the time you place an order. This is not permanently saved onto any device. Instead, it is displayed on the cashier’s till in the drive thru window, and is then automatically deleted within 30 minutes of the sale being completed. The image captured will generally include only the head and shoulders of the individual making the order, and is captured for McDonald’s legitimate business interests to ensure that the completed food and beverage order is passed to the same person who placed the order.
We may monitor, record, store and use any telephone, email or other communication with you for our legitimate business interests in order to check any instructions given to us and in order to improve the quality of our customer service via training.
International Data Transfers
We may transfer your personal information to countries that do not have laws which adequately protect your personal information. In such cases, we take measures (such as standard data protection clauses) to ensure that your personal information receives adequate protection. If you have any questions about these measures or if you want to obtain a copy of the standard contractual clauses we use to safeguard personal information we transfer, please contact us using the contact information provided below.
COVID-19 Contact Tracing
In line with government guidance, McDonald Restaurants of Ireland Limited (“we”) is supporting official contact tracing initiatives by asking customers who eat in our restaurants to complete an online form with certain contact details and information about their visit. Contact tracing allows people who may have been close to someone who has tested positive for COVID-19 to be made aware of that fact so that they can self-isolate. It’s a key part of the ongoing COVID-19 response and can help break infection chains.
In the Republic of Ireland, if you want to eat in our restaurants then you must provide the information requested.
Set out below are details of what information we collect for contact tracing and how we use it.
Information we collect
When you eat in our restaurants, we ask you to complete our COVID-19 Store Registration Form and to provide your name, phone number, restaurant number (details provided at your table), what time you arrived at our restaurant, how long you plan to stay and the number of people in your group. When completing this form, we also capture the date that you visited our restaurant.
If you are in a group of two or more people: Only one of you will be asked to provide your details, but that person should also tell us how many people were with them. If you are the person completing the form, please keep a note of who is accompanying you. We will not ask to see this but if you are contacted by public health authorities, they will ask you to provide this information so that they can contact everyone who was with you.
If you are under the age of 13: please ask someone in your group who is over the age of 13 to complete the registration form on their phone. If you are on your own or if all of the people in your group are under the age of 13, you should enter your / your group leader's name into the form, but include the phone number of that person's parent or guardian into the relevant field of the form, not your own number. That is the phone number that we will pass to public health authorities (and which they will call) if the contact tracing process is initiated.
Using, storing and sharing this information
We only use the information that we collect for contact tracing purposes. Here is how contact tracing works.
If a person who has been in a restaurant at the same time as you later tests positive for COVID-19, the relevant national health authority may contact us to ask us to share with them the record of our customers who also ate in the same restaurant. We will then supply that authority with the information that you gave us via our COVID-19 Store Registration Form, so that it can notify you and other customers as it deems appropriate.
We will not share your information with anyone else and we will not use it for any other purpose. We will only hold the information for a short period - one month - after which it will be securely deleted. The public authorities which administer COVID-19 contact tracing in the Republic of Ireland are as follows: Department of Health, Health Service Executive and the Health Protection Surveillance Centre (https://www.hpsc.ie/a-z/respiratory/coronavirus/novelcoronavirus/guidance/contacttracingguidance/) .
We rely on compliance with a legal obligation in order to collect and share your information, including that, such processing is necessary to comply with our legal obligations under the Safety Health and Welfare Act 2005.
How to Contact McDonald’s Ireland
If you have data protection questions specific to McDonald’s Ireland, you can reach us via the following link: https://customerservices.mcdonalds.co.uk/hc/en-gb/requests/new or by writing to us at:
Attention: Data Protection Office
McDonald's Restaurants of Ireland Limited
11-59 High Road
London N2 8AW