McKinsey & Company, Inc. United States and its United States affiliates (collectively, “McKinsey”) respect your concerns about privacy. McKinsey complies with laws and regulations pertaining to data privacy and data protection applicable to McKinsey in its role as a data processor. In particular, when McKinsey transfers any Personal Information (as described below) from the European Economic Area (“EEA”) or Switzerland to McKinsey in the United States, McKinsey complies with the data privacy principles of notice, choice, onward transfer, access, security, data integrity, enforcement and oversight as applicable to such personal information and as described in this privacy statement (the “Privacy Statement”).
As a further demonstration of its commitment to data privacy and protection, McKinsey has self-certified certain of its client service solutions to the privacy principles set forth in the US-EU Safe Harbor Framework. While McKinsey is aware of and abides by the recent decision of the European Court of Justice regarding the US-EU Safe Harbor Framework, McKinsey also believes that the Safe Harbor principles continue to represent an important declaration of the seriousness with which McKinsey takes the privacy and security of the Personal Information subject to this Privacy Statement. Accordingly, McKinsey will continue to abide by the Safe Harbor principles with respect to such Personal Information, in addition to any agreements governing the use of Personal Information. For more information about McKinsey’s Safe Harbor certification and the Safe Harbor principles please visit: http://www.export.gov/safeharbor
Personal Information Received from EEA / Switzerland
In connection with client engagements involving the use of McKinsey’s OrgLab, Organizational Health Index (OHI), Top Team Effectiveness (TTE), People Analytics, and Influencer solutions (collectively, the “Solutions”), McKinsey may receive in, or access from, the United States personal information about its clients’ personnel located in the EEA or Switzerland (“Personal Information”), either directly from the relevant client or via surveys or questionnaires completed by client personnel (the “Studies”). This Personal Information may include, without limitation, business contact information, employee ID, job role and reporting line, demographic information, work history, compensation and performance ratings. McKinsey uses the Personal Information to perform services for its clients and to administer and manage its relationships with its clients. In connection with these Studies, McKinsey acts as a professional services provider and handles the Personal Information in accordance with its clients’ instructions.
In addition, with respect to certain of the Studies, and with the consent of the individuals providing Personal Information in connection with the Studies to the extent required by applicable law, McKinsey may perform benchmarking and/or research activities using certain limited Personal Information (“Benchmarking Activities”).
McKinsey’s collection, storage, use, transfer and other processing of the Personal Information complies, as appropriate, with the principles of notice, choice, onward transfer, access, security, data integrity, enforcement and oversight as described in this Privacy Statement.
Notice and Choice
With respect to the Studies, McKinsey acts as a professional services provider to its clients. Accordingly, the relevant clients are responsible for providing appropriate notice to the individuals whose Personal Information may be transferred to McKinsey, providing individuals with certain choices with respect to the use or disclosure of their Personal Information, and obtaining any requisite consent. In connection with the Benchmarking Activities and to the extent required by applicable law, McKinsey either provides notice directly to the relevant individuals and offers certain choices regarding the use or disclosure of their Personal Information, or works with the relevant clients to do so.
McKinsey uses the Personal Information only for the purposes indicated in this Privacy Statement unless it has a legal basis, such as consent, to use the information for other purposes.
McKinsey does not disclose the Personal Information to third parties, except where: (i) we have the relevant permissions to make the disclosure; (ii) the disclosure is required by law or regulation or by law enforcement or government authorities or in connection with a legal claim; (iii) the disclosure relates to a sale or transfer of the relevant McKinsey business or assets (including in the event of a reorganization, dissolution or liquidation); (iv) the disclosure is to a McKinsey affiliate; or (v) the disclosure is to third party service providers as described in the “Onward Transfer” section of this Privacy Statement.
Relevant information also may be found in privacy notices pertaining to specific data processing activities.
We use third party service providers to support the Solutions and/or specific Studies. These service providers may access the Personal Information in performing their services. Except as permitted or required by law, we require such service providers to be based within the European Union, Switzerland or another adequate jurisdiction or to enter into a written agreement to comply with the data privacy laws applicable to McKinsey’s processing of the Personal Information.
Access to Personal Information
With respect to the Studies, McKinsey acts as a professional services provider to its clients. Accordingly, the relevant clients are responsible for providing individuals with access to their Personal Information and the right to correct, amend or delete the information where it is inaccurate. In these circumstances, individuals should direct their questions to the appropriate client. When an individual is unable to contact the appropriate client, or does not obtain a response from the client, McKinsey will provide reasonable assistance in forwarding the individual’s request to the relevant client.
With respect to the Benchmarking Activities, McKinsey, in cooperation with the relevant Client, provides individuals with reasonable access to their Personal Information that McKinsey maintains about them. McKinsey also provides a reasonable opportunity for the relevant individuals to correct, amend or delete their Personal Information where it is inaccurate, as appropriate. McKinsey may limit or deny access to Personal Information where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by applicable law. The right to access Personal Information also may be limited in some circumstances by local law requirements. To request access to your Personal Information, please contact McKinsey as indicated below.
McKinsey takes reasonable precautions to protect the Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
McKinsey takes reasonable steps to ensure that the Personal Information we process is (i) relevant for the purposes for which the information is to be used, (ii) reliable for its intended use, and (iii) accurate, complete and current. In this regard, McKinsey depends on its clients to update and correct the Personal Information to the extent necessary for the purposes for which the information was collected or subsequently authorized by the individuals.
Enforcement and Oversight
McKinsey has established procedures for periodically verifying implementation of and compliance with the principles described in this Privacy Statement. McKinsey conducts an annual self-assessment of its practices to verify that the attestations and assertions made in connection with this Privacy Statement are true and that our privacy practices have been implemented as represented herein.
With respect to the Personal Information processed by McKinsey on behalf of its clients in connection with the Studies, individuals should submit complaints concerning the processing of their Personal Information to the relevant client in accordance with the client’s dispute resolution process. McKinsey will participate in this process at the request of the client or the individual. If the issue cannot be resolved through the client’s internal dispute resolution mechanism or McKinsey’s internal processes, and with respect to complaints concerning McKinsey’s processing of the Personal Information for Benchmarking Activities, McKinsey will cooperate with JAMS in accordance with the JAMS Safe Harbor program, which is described on the JAMS website at http://www.jamsadr.com/safeharbor/. JAMS or the individual also may refer the matter to the U.S. Federal Trade Commission, which has Safe Harbor enforcement jurisdiction over McKinsey.
Relevant individuals may file a complaint concerning McKinsey’s processing of their Personal Information with McKinsey’s Legal Department, whose contact information is below. McKinsey will take steps to remedy any issues arising out of a failure to comply with this Privacy Statement. Please contact McKinsey as specified below to address any complaints regarding McKinsey’s privacy practices with respect to the Personal Information.
How to contact McKinsey
To contact McKinsey with questions or concerns about this Privacy Statement or McKinsey’s practices concerning the Personal Information please write to:
McKinsey & Company, Inc. United States
Attention: Legal Department
711 Third Avenue, 4th Floor
New York, NY 10017
Amendments to this Privacy Statement
We may amend this Privacy Statement from time to time in a manner consistent with applicable laws by posting a new statement at this location. The last date of amendment of this Privacy Statement was May 20, 2016.