Personal Information Protection Policy

Tamotsu Hiiro, Representative Director and President
Shinjuku iLand Tower 6-5-1 Nishi-Shinjuku, Shinjuku-ku, Tokyo
McDonald’s Holdings Company (Japan), Ltd.

Tamotsu Hiiro, Representative Director and President
Shinjuku iLand Tower 6-5-1 Nishi-Shinjuku, Shinjuku-ku, Tokyo
McDonald’s Company (Japan), Ltd.

Personal Information Protection Policy

Based on the Act on the Protection of Personal Information (hereinafter referred to as the “Personal Information Protection Act”), McDonald's Holdings Company (Japan), Ltd. and McDonald's Company (Japan), Ltd. (hereinafter collectively referred to as “McDonald’s”) set forth the Personal Information Protection Policy (hereinafter referred to as “this Policy”) concerning personal information of customers and all other persons who engage in the business activities of McDonald's including the shareholders and employees (hereinafter collectively referred to as the “Customers”).
McDonald's will handle personal information of Customers in accordance with this Policy.
In addition, Customers who use websites, mobile applications and individual services (hereinafter collectively referred to as the “Websites”) provided by McDonald's are deemed as having agreed to this Policy.

• Article 1: Definition 
• Article 2: Management 
• Article 3: Specifying the Purpose of Using Private Information and Its Use
• Article 4: Personal Information of Children 
• Article 5: Personal Information and Information relating to Individuals 
• Article 6: Shared Use of Personal Information within the Group 
• Article 7: Entrustment of Personal Information 
• Article 8: Third Party Provision 
• Article 9: Safety Control Measures 
• Article 10: Rights of Customers 
• Article 11: Contact Information 
• Article 12: Policy Revision 
• Contact information 

Article 1: Definition

“Personal information” means information relating to a living individual which falls under any of the following:

1. those containing a name, date of birth or other descriptions etc. stated, recorded or otherwise expressed using audio, movement or other methods whereby a specific individual can be identified (including those which can be readily collated with other information and thereby identify a specific individual).
2. those containing an individual identification code.

Article 2: Management

McDonald's will establish a personal information protection management supervisor to ensure strict management of personal information gathered from Customers, in compliance with the Personal Information Protection Act, other relevant laws and regulations and company rules. The Websites have sufficient security measures in place against unauthorized access, data leakage, alteration and/or destruction to protect the Customers’ personal information. However, these security measures do not provide protection for data communication between the Customers’ PCs and the Websites. Each Customer is responsible for the management of their own security measures.

Article 3: Specifying the Purpose of Using Private Information and Its Use

McDonald's may use personal information collected from the Customers for purposes listed below. In cases where personal information is to be used for programs, campaigns, customer services or other purposes not listed below, the purpose of use will be specified each time prior to collecting personal information.

• To provide information on products sold, services offered and campaigns conducted by McDonald's.
• To notify winners of McDonald's-sponsored campaigns in which Customers have participated, to inform them that they have won and to present the prizes and rewards.
• To analyze attribution information and browsing/purchasing history, etc., acquired to provide information, contents, coupons and advertisements that are in accordance with customer preferences.
• To send requests to participate in surveys for sampling of new products or mobile applications to enhance product quality and services as well as other actions relating to such.
• To inform of updates for Websites as well as their contents (including recruitment information for employees or part-time employees, etc.).
• To offer information on products, services and campaigns by companies, schools, associations and such that the company deems appropriate including business partners, etc.
• To improve marketing, product development and services and to develop new services based on the results of interviews with customers, analysis of surveys and analysis of customer behavior in restaurants.
• To respond to inquiries from customers, to deliver products to customers and to communicate with customers as necessary.
• To deal with applications for employees/part-time employees and franchise owners.
• To manage employment and communicate with employees etc.
• To exercise rights and/or perform obligations by the shareholders.
• To create and/or manage the shareholders’ data etc.
• To communicate with the shareholders, including sending notice of shareholders meeting or benefits
• Other purposes associated to the abovementioned purposes.

will use personal information of Customers only within the scope of purposes specified at the time of collecting such information. In cases where situations require changes within the boundary that is reasonably recognized as relevant to the said specified purpose of use, this will be notified to the Customers or announced on the Websites. In cases where situations require the use of the Customers’ personal information outside of the boundary that is reasonably recognized as relevant to the said specified purpose of use, consent will be obtained from the Customers before use. The Customers’ personal information will not be used for the said purpose in cases where consent cannot be obtained.

Article 4: Personal Information of Children

McDonald's protects personal information of minors to the same degree as personal information of adult.
However, when Customers below 13 years old are to use McDonald’s Websites or apply for various programs, it is recommended that this is done together with guardians of said Customers with their consent. Customers below 13 years old are asked to refrain from sending personal information to McDonald's Websites without the consent of their guardians.
Customers below 13 years old are permitted to participate in various programs including free giveaways; however, notification that they have won and the prizes may be sent to their guardians. In cases where a winner is below 13 years old, consent from theirguardians shall be obtained prior to releasing the above winner’s name, age or photos.

Article 5: Personal Information and Information relating to Individuals

1. Information handled by McDonald's
   Name, date of birth, sex, phone number, address, postal code, email address, history of purchase, point ID, point usage and other information provided through entry forms.
2. Information collected automatically by use of Websites
   Devise information (Devise ID, IP address etc.), log information, Cookie, location information and other informative information (AAID, IDFA etc.)

If Customers should desire the use of informative information to be discontinued, please set restrictions for advertising identifiers (opt out) etc. in accordance with the guide described in the following websites.
However, if Customers should take such measures, use of services for the Websites may be restricted and/or a part of functions provided through services may be unavailable.

• Setup of IDFA, an advertising identifier, on iOS devices
  [Apple Support Center] https://support.apple.com/kb/HT4228?viewlocale=ja_JP&locale=en_US
• Setup of Google Advertising ID, an advertising identifier, on Android devices
  [Ad ID - Google Play Help] https://support.google.com/googleplay/answer/3405269

Article 6: Shared Use of Personal Information within the Group

Personal information of Customers may be used by the following shared users within the scope of the specified purpose of use:

1. Scope of shared users:
   McDonald's Corporation, McDonald's Holdings Company (Japan), Ltd., McDonald's Company (Japan), Ltd., and affiliates and franchisees of these companies.
2. Purpose of use:
   1. For marketing activities to promote selling of products and/or services.
   2. To handle inquiries from Customers about products and/or services provided by individual group companies, or to communicate and/or delegate the task to assigned companies.
   3. Other purposes to conduct business with Customers in an appropriate and smooth manner.
3. Items of personal information to be shared:
   Name, telephone number, address, e-mail address, purchase history, details of customer inquiries, etc.
4. Management supervisor of shared use:
   Tamotsu Hiiro, Representative Director and President
   Shinjuku iLand Tower 6-5-1 Nishi-Shinjuku, Shinjuku-ku, Tokyo
   McDonald’s Company (Japan), Ltd.

Article 7: Entrustment of Personal Information

1. McDonald's may entrust the handling of personal information by executing a strict personal information protection agreement with a partner company that has an adequate system to protect personal information. In addition, names and addresses, etc. may be provided to couriers to deliver products.
2. Entrustment to overseas third parties
   McDonald's selects business operators in the countries prescribed by the Rules of the Personal Information Protection Commission or business operators that have systems conforming to the standards prescribed by the Rules of the Personal Information Protection Commission in place, and obligates said business operators to follow matters required for personal information protection and exercises appropriate supervision by entering strict personal information protection agreements with such business operators.

Article 8: Third Party Provision

McDonald's shall not provide Customers’ information to any third party without prior consent of said Customers, except in cases stipulated in Article 6 (Shared Use of Personal Information within the Group) or Article 7 (Entrustment of Personal Information). However, the Customers’ information may be provided to a third party without prior consent of said Customers, to the minimum extent necessary, in the following cases:

1. cases based on laws and regulations;
2. cases in which there is a need to protect the lives or assets of people;
3. cases in which it is needed to enhance public hygiene or promote the fostering of healthy children; or
4. cases in which there is a need to cooperate with public organizations such as the police or courts.

Article 9: Safety Control Measures

McDonald's takes necessary and appropriate safety control measures to prevent leakage, loss or damage of Customers' personal information. The main contents are as follows.

(Establishment of rules concerning the handling of personal information)

• The Company has established internal rules regarding the acquisition, use, storage, provision and deletion/discarding of personal information, including handling methods and responsible persons.

(Organizational safety control measures)

• A management supervisor has been established for the management of personal information.
• Under internal rules, only those who are required to know or use the information for business reasons are allowed to possess and use personal information, and only to the minimum extent necessary, with the company limiting the number of persons who may possess and use personal information.
• A reporting system is in place to report to the management supervisor in the event that there is the occurrence or signs of the Personal Information Protection Act or related internal regulations being violated or in the event that there is the occurrence or signs of leakage of personal data or other incidents.
• Self-inspections for the situation of the handling of personal information shall be conducted regularly using check sheets prescribed by the Legal Department and others, and audits by the Internal Audit Department and others shall be executed.

(Human safety control measures)

• The Company's Working Regulations include matters related to the protection of personal information. Under the Working Regulations, employees are required to pay sufficient attention to the management of personal information, to not wrongfully acquire information that is not related to their duties, to not present, use or provide personal information obtained in the course of their duties to others, both inside and outside the company, beyond the scope of their duties and to promptly return personal information that they had been managing upon being transferred or resigning.
• Regarding the handling of personal information, training and other means to inform them shall be provided to employees and others on points to keep in mind.

(Physical safety control measures)

• When storing personal information on paper, etc. or on external storage devices such as USB flash drives or CDs, the information must be stored in a place that can be locked.
• A retention period shall be set for personal information, and the information shall promptly be discarded after the retention period or when it is no longer needed. When discarding information, the management supervisor shall be held accountable for cutting, dissolving or deleting the data in an unrecoverable form.

(Technical safety control measures)

• When storing personal information in electronic files (including storage in external storage devices as described above), access control is implemented to prevent access by third parties.
• Employees with access to personal information are limited, and furthermore, if those with access rights should leave the company or be transferred and no longer be granted access, access is immediately disabled.
• Firewalls, etc. are installed at the connection points between information systems and external networks to block unauthorized access.

(Understanding the external environment)

• When handling personal information in other countries, safety control measures are implemented based on the understanding of the systems for the protection of personal information in said countries.

Article 10: Rights of Customers

Providing personal information to McDonald's is optional and Customers may choose not to provide such information. However, this may limit the services Customers can receive. Customers may request the personal information protection management supervisor to disclose the personal information they provided to McDonald's, and may seek to revise incorrect personal information, if any. Furthermore, Customers may request that use of such information be discontinued or that it be deleted in cases where there is questionable handling, etc. by McDonald's.
Please contact McDonald's Japan’s Customers Satisfaction Department below to apply to have personal information be disclosed, revised, use be discontinued or deleted, to apply to have records of use of personal information by third parties be disclosed or to exercise any other rights granted under the Personal Information Protection Act.

• McDonald's may be unable to abide by requests in regard to Customers’ personal information if (i) the Customers’ identity cannot be confirmed, (ii) the personal information has already been discarded or deleted, or (iii) such disclosure may significantly interfere with the proper execution of business.
• A fee may be charged for the disclosure of information.

Article 11: Contact Information

If there should be any questions regarding this policy or questions, comments, complaints or concerns regarding McDonald's handling of personal information, please consult the contact information below.

Article 12: Policy Revision

This Policy may be revised due to changes in the personal information collected and/or the purpose of use etc. The new policy shall be applied after the revision. Individual Customers will not be notified of revisions to the Policy which will be announced by updating this website. Therefore, it is recommended that this website be visited on a regular basis.

[Contact information]

Customer Satisfaction Department, McDonald's Company (Japan), Ltd.
Toll-Free 0120-010-916
Inquiry Form: https://www.mcdonalds.co.jp/cservice/

March 31, 2022