McDonald's Global Privacy Statement

Last updated: [September 13, 2018]

This Privacy Statement (“Privacy Statement”) describes how McDonald’s collects, processes, protects and discloses personal information about its guests in the countries listed below. Our guests include those who have a business relationship with us, i.e. who visit our restaurants, use our websites and mobile apps, and otherwise communicate with us.

Some countries, in which we operate, have laws that require us to share certain information with our guests regarding the way we process our guests' personal information. Therefore, the Privacy Statement is divided into two sections - a globally applicable part, and a country-specific supplementary statement.

The first section (globally applicable part) describes the standards in relation to how McDonald’s collects, processes, protects and discloses guest data as a whole. If there are variations for a particular country, or additional information needs to be provided due to country-specific laws or the EU Data Protection Basic Regulation (hereafter “GDPR”), please refer to the supplementary statement for that country:

  • Austria
  • Belgium
  • Czech Republic
  • France (France)
  • Germany (German)
  • Hungary
  • Ireland
  • Italy
  • Netherlands
  • Poland
  • Portugal
  • Slovakia
  • Spain
  • Switzerland
  • United Kingdom
  • United States

For the purposes of this statement as a whole, the McDonald's Werbegesellschaft mbH (you can find the contact details in the national supplementary statement) is the controller responsible for processing your personal data.

Please note that in some countries there are several companies of McDonald’s which may be the controller in terms of applicable data protection law. If you are a guest in a country not listed above, please visit the McDonald’s website of that country to learn more about privacy. You can find the national McDonald’s websites here: http://corporate.mcdonalds.com/content/corpmcd/about-us/around-the-world.html.

Some of our restaurants are operated by franchisees who are self-employed entrepreneurs. This Privacy Statement does not apply to our franchisees or to websites and mobile apps, etc. that they operate. Our franchisees follow their own privacy statements and practices.

1. Data that we collect and process
2. How we process your information
3. How we share the data we collect
4. Privacy statement regarding children
5. Your choices
6. Use of our online services and other technologies
7. Links to other websites and social media
8. Security
9. Storage period
10. International data transfer
11. Changes to our Privacy Statement
12. How you can contact us

 


 

Additional declaration for natural persons resident in Austria

[Last updated: September 13, 2018]

Local controller

McDonald's Werbegesellschaft mbH
Campus 21 Liebermannstrasse, A01601
2345 Brunn am Gebirge
Austria

is the controller responsible for the processing of your personal data.

Legal bases for the processing of personal data

We process your personal data on the following legal bases: your consent (Art 6 para 1 lit a GDPR); the necessity to perform a contract (Art 6 para 1 lit b GDPR); our overriding legitimate interest (Art 6 para 1 lit f GDPR); to necessity to comply with our legal obligations (Art 6 para 1 lit c GDPR).

Privacy statement regarding children

We may offer a variety of attractions on our websites, such as games or coloring books, for which children do not need to provide personal data. We collect personal data from children under the age of 14 only to a limited degree and only to the extent permitted by law or with parental consent. For example, under these circumstances, we may collect a child's email address so entering a sweepstake is possible.

In the course of participating in online activities, McDonald’s will not collect more personal data from children as is necessary for participation in the particular activity and as is permitted by law or as is covered by the consent of a parent.

As far as personal data of children are collected by McDonald’s, they are only collected by McDonald’s and companies commissioned by McDonald’s, which provide technical or other services, under the above-mentioned conditions and as far as this is legally permitted or a parent has consented. The services of these companies include, for example, the improvement of our websites, the processing of enquiries and the execution of sweepstakes. This personal data will not be sold to third parties.

We kindly ask parents to regularly monitor their children's online activities.

Your rights as a data subject

Regarding your personal data you have the following rights:

  • You may withdraw your consent once given to us at any time. The consequence of this is that we may not continue the data processing based on this consent for the future; processing that took place before the withdrawal is not affected.
  • You may request access to your personal data processed by us and a copy thereof;
  • You may receive personal data you provided us with in a structured, commonly used and machine-readable format and request that we send these directly to another controller;
  • You may request that we rectify inaccurate personal data or complete incomplete personal data concerning you and stored with us;
  • You may object to the processing on the basis of legitimate interests pursuant to Art 6 para 1 phrase 1 lit f GDPR, if there are grounds relating to your particular situation, or object to direct marketing; in the latter case there is a right to object at any time without stating reasons.
  • You may request erasure of your personal data stored with us including links to your data, copies or replication of such data, as far as permitted by applicable law; for example, if your data is out of date, no longer necessary for the purposes or unlawful or if you withdraw your consent to processing and there is no other legal basis for processing or if you successfully object to our processing;
  • You may request restriction of the processing if the accuracy of the data is contested by you, if the processing is unlawful, but you refuse erasure of the data and if we no longer need the data, but you need it to establish, exercise or defend legal claims or you have lodged an objection against the processing pursuant to Art 21 GDPR.

Please note that if you withdraw your consent, you may no longer be able to participate in the programs, services or initiatives for which you have given your consent to the processing of your personal data.

They may exercise these rights free of charge unless the request is manifestly unfounded or excessive, for example in the case of repeated requests.

To exercise your rights, contact us at our global or local data protection office using the contact details provided.

You can also exercise your rights by making use of McDonald’s GDPR Rights Center at http://corporate.mcdonalds.com/GDPRRightsCenter.com.

In certain cases, we may refuse to meet all or part of your requests to the extent permitted by law. Before we comply with your request, we may ask you for proof of identity and/or additional information to help us respond to your request. In all cases, you have the right to file a complaint with the local data protection authority.

Information for registered users of the bonus program of our local app.

The Austrian bonus program is offered by McDonald‘s Werbegesellschaft m.b.H. (hereafter “McDonald’s”) and processed via the app.

The purpose of the app is to provide you (registered users in Austria) with a bonus club, where you can collect points (so-called Ms) in participating McDonald’s restaurants in the course of your purchase and redeem them for rewards and display vouchers tailored to your product preferences (e.g. for discounted or free products).

If you no longer want McDonald’s to process your personal data in this way, you can delete your personal user account using the app (link: www.mcdonaldsapps.com/de-CH/account) or unregister and continue using the app as an unregistered user. This means that you can exercise your right to object according to Article 21 GDPR at any time by deleting or unregistering your personal user account and using the App as an unregistered user.

Cookies and other technologies

Our local website and our local app use cookies. By using the aforementioned online services, the user consents to the use of cookies. More information about cookies and other technologies can be found below and under point 6 of the global part of the privacy notice.

Remarketing

Third parties, including Google, place ads on websites on the internet. These third parties may use cookies to serve ads based on your previous visits to our website. Remarketing technology makes it possible to specifically target those internet users with ads on other websites who have already shown an interest in our website and our products. No personal data is stored this way and the remarketing technology is used in compliance with the applicable data protection provisions.

Further information on use-based advertising and ways to object can be found under http://www.youronlinechoices.com/de/uber-oba/

You can permanently deactivate the use of cookies by Google by clicking the following link and downloading and installing the plug-in provided there: https://www.google.com/settings/ads/plugin.

Alternatively, you can deactivate the use of cookies by third parties by visiting the Network Advertising Initiative's opt-out page under http://www.networkadvertising.org/choices/ and by implementing the information on opting- provided there. Further information about Google Remarketing and Google's privacy notice can be found under http://www.google.com/privacy/ads/.

Google Analytics

We use Google Analytics, a web analysis service provided by Google Inc., for the purpose of tailoring our pages to meet your needs and continually optimizing them. (https://www.google.de/intl/de/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter referred to as "Google"). In this context, pseudonymized user profiles are created and cookies are used (see general explanations on cookies in the main part of the privacy notice). The information generated by the cookie about your use of this website such as

  • Browser type/version,
  • operating system used,
  • referrer-URL (the previously visited page),
  • host name of the accessing computer (IP address),
  • time of the server request,

is transferred to a Google server in the USA and stored there. This information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to website activity and internet usage for market research purposes and to tailor these web pages to meet your needs. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of others. Under no circumstances will your IP address be merged with other Google data. Any IP address is anonymized so that no allocation is possible (IP masking).

You can refuse the installation of cookies by using the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of this website.

Further, you can prevent the collection of data generated by the cookie related to your use of the website (including your IP address) as well as the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en).

As an alternative to the browser add-on, especially when using browsers on mobile devices, you can also prevent Google Analytics from collecting your data by clicking on this link. In this case, an opt-out cookie will be set to prevent your information from being collected in the future when you visit this website. This opt-out cookie applies only to this browser and only to our website and is placed on your device. If you delete the cookies in this browser, you will need to set the opt-out cookie again. Further information on data protection in connection with Google Analytics can e.g. be found in Google Analytics Help (https://support.google.com/analytics/answer/6004245?hl=en).

Google Firebase

Our apps use technology from Google Firebase (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, “Google”). Firebase is part of the Google cloud platform and offers numerous services for developers. A list of them can be found here: https://firebase.google.com/terms/. Some Firebase services process personal data. In most cases, the personal data is limited to so-called “Instance IDs”, which are timestamped. This “Instance IDs” assigned by Firebase are unique and thus permit the linking of different events or processes. To us, this data does not constitute personally identifiable information and we make any efforts to subsequently personalize it. We process this aggregated data to analyze and optimize usage behavior, e.g. by evaluating crash reports.

For Firebase Analytics, in addition to the aforementioned “Instance ID” Google also uses the Ad-ID of the end device. In the settings of your mobile device, you can restrict the use of the Ad-ID.

For Android: Settings > Google > Ads > Reset Ad ID
For iOS: Settings > Privacy > Advertising > No Ad Tracking

Firebase Cloud Messaging is used to transmit push notifications or so-called in-app messages (messages that are only displayed within the respective app). The end device is assigned a pseudonymized push reference, which serves as the target for the push notifications or in-app messages. The push notifications can be deactivated and reactivated at any time in the settings of the end device.

We do not use Firebase services that use personally identifiable information such as IP addresses, email addresses, telephone numbers or passwords. For more information about Firebase's privacy and security practices, please visit https://firebase.google.com/support/privacy/. We use servers located within the EU whenever possible. However, it cannot be ruled out that data may also be transferred to the USA. Google has joined the EU-US Privacy-Shield, a data protection agreement between the EU and the USA. Further information on Google Firebase and data protection can be found under https://www.google.com/policies/privacy/ and https://firebase.google.com/.

Deactivation

If you have deactivated the collection of data via Google Analytics (see above), the collection of data via Firebase is also deactivated, however, only on this device, not on other devices that you may use. You can deactivate push notifications via the system settings of your device.

Automated decision-making under Art 22 GDPR

We do not use automated decision-making in the meaning of Art 22 GDPR within the framework of business relations with our guests at McDonald’s Austria.

International data transfer

As residents of the European Economic Area, we may transfer your personal data to countries which, in the opinion of the European Commission, may not have an adequate level of data protection. In such cases, we will take measures (e.g. by concluding so-called standard contractual clauses of the EU Commission) to ensure that an adequate level of protection is established for your personal data. If you have any questions about the guarantees we use to protect your personal data for transfer to other countries, or if you would like a copy of the EU standard contractual clauses we use for transferring and protecting your data, please contact our global or local data protection office at the contact information provided. Contact at McDonald‘s Austria If you have any questions about data protection at McDonald’s Austria, please contact us at:

McDonald's Werbegesellschaft mbH
Campus 21
Liebermannstrasse, A01601
2345 Brunn am Gebirge Austria
datenschutz@at.mcd.com