This Privacy Notice was last reviewed on February 14, 2024.
This Privacy Notice explains how McKinsey & Company, Inc. United States and its subsidiaries and affiliates (collectively, “McKinsey”, “us” or “we”) process personal data that we obtain from your access to and use of our proprietary data- and analytics-driven tools, surveys and solutions, including those described at https://www.mckinsey.com/solutions (the “Solutions”), to perform benchmarking, research, development, and related activities, and as authorized under applicable data privacy laws.
If you are accessing these Solutions in connection with services that McKinsey is providing to the organization with whom you are associated (“Your Organization”), McKinsey has executed a licensing or consultancy agreement for the provision of professional services (the “Solution Agreement”), and those contract terms and Your Organization’s privacy practices control personal data processed on behalf of Your Organization. This Privacy Notice supplements any notice that you may receive from Your Organization, and it applies only to McKinsey’s use of your personal data for its own purposes as described in this Privacy Notice. We may update this Solutions Privacy Notice at any time, and we will make an updated copy of this Notice available on McKinsey website.
For California residents, please note that we do not share or sell your personal data as those terms are defined in California Civil Code § 1798.140.
1. How do we collect your personal data when we are acting as a processor?
We may collect and process personal data about you for the purpose of providing services to, and on behalf of, Your Organization (our client), either from Your Organization, from a third party identified by Your Organization, or directly from you, including via surveys, questionnaires or other information-gathering tools supplied by Your Organization or by us. If we do so, McKinsey acts as a data processor on behalf of Your Organization. This personal data may include, without limitation, business contact information such as your name, professional email address, or employee ID, job role, department, or reporting line, (“Business Contact Information”); demographic and other professional information such as work history and education; finance-related information such as compensation and benefits, performance ratings; progress and proficiency data such as assessment scores, course completion rates and performance metrics, course evaluations, survey and discussion responses; technical information related to systems and devices, such as IP address information, log-in information, account information, usage metrics, browser telemetry (e.g., type, version), time stamps; and other personal data similar to the foregoing. McKinsey shall not be responsible or liable for the use of such information by Your Organization (e.g., making certain of your personal data visible to other members of Your Organization or third parties (such as other participants in your learning session)), and such use shall be subject to Your Organization’s policies (including privacy policies) applicable to you.
2. How and what categories of personal data do we collect when we act as a data controller, for what purpose(s) and who has access to your personal data?
McKinsey may act as a controller to the extent that we process your personal data in connection with your use of the Solutions or your participation in McKinsey’s surveys or questionnaires, including log-in and Business Contact Information to allow you to set up a user account to use and access the Solutions; personal data that we collect for security purposes (for example, device information, IP address, and log data) to provide technical support and maintenance support; and to improve our services and Solutions, such as your usage data while using the Solutions.
As a data controller, we use this personal data for our own business purposes, including (subject to our obligations to Your Organization) for providing our services to our clients, benchmarking, impact tracking (e.g., counting in and across Solutions the number of total users who have taken a course or used a Solution), research and reporting, product or business development purposes, and further developing, improving, securing and optimizing Solutions usage, performance, features, and functionality. In certain situations, we may collect sensitive personal data (e.g. biometric data, health related information, sexual orientation, data about ethnicity, race, religion or philosophical beliefs, political opinion, trade union membership) directly from you, for instance when you respond to a survey conducted by McKinsey and provide us with demographic or other personal data, for research, data analysis or statistical purposes. We use sensitive personal data only with your consent unless another lawful basis exists (for example, public health requirements). We may combine personal data that we receive directly from you with personal data that we collect through your use of McKinsey’s website or other client services (including your use of other Solutions) or that we receive from third parties, including Your Organization. All collection and use of personal data and sensitive personal data will be based on this privacy notice and with the purposes and access described in this notice, unless otherwise stated to you in a supplementary notice at the time of the collection.
The section, below, summarizes the purposes for which McKinsey processes your personal data as a data controller, the categories of personal data that we use for each purpose, and the legal grounds on which each data processing activity is based, along with who has access to the personal data.
Benchmarking, analytics, and reporting
Purpose: We do benchmark, data analytics, and reporting activities, such as the analysis of inputs, usage, and performance metrics of our Solutions across industries, users, and our clients, including Your Organization. This may include the analysis of the change in certain metrics for the users or our clients of the Solutions. Where we provide analytics or reports, we only do so after we have sanitized or aggregated the data, except for those provided to Your Organization at their direction.
Categories of data: Specific business information related to you, your professional background and role, location, access, inputs, usage, and behavioral data or similar information (like your productivity, progress, and proficiency data).
Legal ground: Legitimate interest in doing research, analytics, improving our services, and reporting activities as part of our business and, when needed, your consent to McKinsey or to the third parties that provide us with the information (such as Your Organization).
Data recipients: McKinsey subsidiaries and affiliates, our clients, including Your Organization, or third-party service providers as disclosed in our Global Data Privacy Notice.
Provision, operation, and improvement of McKinsey’s services and Solutions
Purpose: Provide our services or products to our clients, including benchmarking products. This includes the operation, maintenance, and improvement of the services and Solutions, and if you use multiple Solutions, combining your usage and behavioral data from those Solutions to improve our services or products. This may include identifying other courses, services, or offerings of McKinsey that may be of interest to you or current or prospective users or clients.
Categories of data: Access, inputs, usage data, including behavioral data, email, name for communication with you, preferences on website or app use, or similar information (like your productivity, progress, and proficiency data).
Legal ground: Legitimate interest in promoting and protecting McKinsey, provision and improvement of our services and building and maintaining relationships
Data recipients: McKinsey subsidiaries and affiliates, our clients, including Your Organization, and third-party service providers as disclosed in our Global Data Privacy Notice.
Compliance with laws, and exercise legal actions
Purpose: Comply with all applicable regulations, exercise legal actions and legal defense at courts, prevent fraud, enforce McKinsey’s agreements, this Privacy Notice, the Cookie Notice and our terms of use and comply with our corporate reporting obligations.
Categories of data: Categories of data will depend on the particular regulation or request coming from a competent authority.
Legal ground: Compliance with all applicable laws and regulations.
Data recipients: McKinsey subsidiaries and affiliates and third party service providers as disclosed in our Global Data Privacy Notice.
Applications, security, and Solutions performance
Purpose: McKinsey may collect personal data from your use of our applications, websites and services to analyze user activity to fix errors, monitor usage, and improve the security and performance of our websites, services and Solutions and mobile applications. For example, McKinsey receives reports on some of our mobile applications’ aggregate usage and browsing patterns. McKinsey also receives reports on certain errors occurring within mobile applications.
Categories of data: Data on browsing patterns and mobile app usage, User ID/Name/Business email address and IP address including information about the type of device used, articles accessed, and other events occurring within our apps.
Legal ground: Legitimate interest to improve functionality and ensure security of users data and our business
Data recipients: McKinsey subsidiaries and affiliates and third party service providers as disclosed in our Global Data Privacy Notice.
Aggregation, anonymization, and de-identification of your data
Purpose: McKinsey may aggregate, de-identify or anonymize your personal data so that, depending on the law, your data is no longer considered as personal data. We may use such data for the provision and improvement of our services, including training and improving artificial intelligence and other data models, building benchmark databases or creating reports on sanitized or aggregate trends and metrics, as well as tracking impact or usage of our Solutions like total number of users, assessing completion rates and/or analyzing assessment scores.
Categories of data: Access, inputs, usage data including behavioral data, productivity, progress, and proficiency data, or similar information.
Legal ground: Legitimate interest for the provision and improvement of our services and to protect your privacy.
If consent as a legal basis has been relied upon, as required in certain jurisdictions, and you have withdrawn your consent, it may impact the functionality and may affect your experience with or ability to use our Solutions.
3. Data collection from children
McKinsey’s Solutions are not designed for use by anyone under the age of 16 and McKinsey does not knowingly provide services to anyone under the age of 16. To the extent that any of our Solutions may involve collecting or maintaining personal data from or about individuals under the age of 16, we would do so only with the required legal consent from the parent, guardian, or individual and in accordance with applicable law.
4. What do we NOT do when we collect and process your personal data?
California residents: We do not share or sell your personal data as those terms are defined in California Civil Code § 1798.140.
When we receive deidentified data or we transform personal data that we have collected into deidentified data, we make the following commitments:
- McKinsey will maintain deidentified data in deidentified form.
- Except to the extent necessary to confirm that personal data has been transformed into deidentified data, McKinsey will not attempt to identify or reidentify specific individuals within a deidentified data set or otherwise use deidentified data to attempt to associate specific individuals with their individual characteristics and will not permit any entity or individual acting on McKinsey’s behalf to do so.
- To the extent, if any, that McKinsey provides access to or otherwise discloses a deidentified data set to a non-McKinsey recipient, for example, a service provider or a client, McKinsey does not permit such recipient to attempt, or permit others to attempt, to identify or reidentify specific individuals within the deidentified data set or otherwise use deidentified data to attempt to associate specific individuals with their individual characteristics.
McKinsey Solutions do not collect your personal data or track your activities over time across third party websites or other online services (e.g., your general web browsing history). Accordingly, we do not alter our data collection and use practices in response to “do not track” signals transmitted from web browsers.
5. Who has access to your personal data? Data recipients and international data transfers
The personal data will only be shared, where permitted by applicable law. We may, for example, share your personal data with our affiliates or third-party service providers, such as IT infrastructure and technology providers, or in the event of the acquisition of the relevant McKinsey affiliate by a third-party entity, or where required by law, with governmental or public authorities. Since you are using our Solutions on behalf of Your Organization, we may share your personal data with Your Organization, as agreed between Your Organization and us as in the Solution Agreement.
Since McKinsey is a global organization, affiliates, and service providers to which we transfer your personal data collected via the Solutions may be located in countries which may have different data protection laws than those in your country of residence. McKinsey will implement safeguards to protect your personal data across McKinsey’s global operations. Where required by law, we have put in place legal mechanisms designed to ensure adequate data protection of your personal data that is processed by McKinsey affiliates and service providers, including Standard Contractual Clauses, and such other data transfer mechanisms as available by applicable law.
6. Security
McKinsey protects and safeguards your personal data globally, in accordance with applicable law, our privacy and data security policies, and this Privacy Notice. We use generally accepted standards of technical and operational security to protect your personal data against accidental or unlawful loss, misuse, alteration, or destruction, in consideration of the risks associated with the personal data and its processing, and we require the same level of protection and safeguarding from our subsidiaries and affiliates, our service providers, and third parties. Only authorized personnel of McKinsey and of our service providers are permitted to access personal data, and these employees and service providers are required to treat this information as confidential. Despite these precautions however, McKinsey cannot guarantee that unauthorized persons will not obtain access to your personal data.
7. How long do we keep your personal data?
McKinsey keeps your personal data only as long as necessary for the business purpose(s) for which it was collected to meet our legal or contractual obligations (including those with Your Organization) and in compliance with McKinsey’s data retention policy. McKinsey will retain the data for as long as it is needed to perform legal, regulatory, or post-contractual obligations, including McKinsey’s legal, regulatory, and documented professional archival obligations, or any disputes or litigation procedure, and will delete the personal data in accordance with McKinsey’s retention schedule. We will securely delete your personal data promptly after the purposes described above cease to apply in accordance with the prevailing market practice for such destruction.
8. What are your data protection rights and how can you exercise them with us as the data controller?
8.1. What are your data protection rights?
Subject to applicable law, including exceptions, you have the following rights with regard to the personal data that we collect about you:
- Right to request a copy of your personal data, or information about the personal data that we hold about you, including information about how we use your personal data, who has access to it, and the terms under which third parties have access to your personal data.
- Right to request portability of your data to permit you to provide a copy of your personal data in a structured, commonly used and machine-readable format and to transmit that personal data to another controller.
- Right to request that we correct or otherwise amend or delete your personal data if it is not correct or otherwise not complete, timely, and accurate for the purpose(s) for which we are using it.
- Right to request that we cease processing or restrict or limit the processing of your personal data
- Right to withdraw your consent to our processing of your personal data where the basis of our processing is your consent.
- Right to not be discriminated against for exercising your individual rights regarding your personal data.
- Right to request review by McKinsey’s Global Privacy Officer and, if applicable, McKinsey’s data protection officer for your jurisdiction, of our response to your request to exercise your individual data protection rights.
- Right to seek additional legal remedies regarding our response to your request to exercise your individual data protection rights, including, depending upon your jurisdiction, by lodging a complaint with your data protection authority or initiating a legal proceeding.
8.2. How do you exercise your data protection rights?
You can contact the Global Privacy Officer or the Data Protection Officer for your jurisdiction, at privacy@mckinsey.com.
If you would like to exercise your data protection rights regarding your personal data, you can do so by
- completing the data-subject request form
- Emailing your request to us at datasubjectrights@mckinsey.com;
- For requests from U.S. residents, requests, you may call us at 1-844-582-3015 using the six-digit PIN code: 736 415
Upon receipt of your request to exercise your data protection rights, we will acknowledge receipt within the time period required by applicable law and provide you with information about the next steps in the process and the timing. To help protect your privacy and security, we may take reasonable steps to verify your identity before acting on certain data protection rights, in accordance with applicable law. If you are using an authorized agent to exercise your data protection rights and that agent does not provide a power of attorney with the initial request, we may request further evidence of the agent’s right to act on your behalf, including valid written authorization or contacting you to verify the request.
Please note that applicable laws include exceptions to assertions of data protection rights that may prevent us from providing access to your personal data or otherwise fully complying with your request. If we believe exceptions apply, we will respond to your request to the extent we are able to do so, and we will provide an explanation of the basis for not complying wholly or partially with your request.
For further details, especially if you are using any additional services, or applications of McKinsey, including our mckinsey.com website, please find further information how we are using and protecting your personal data in the McKinsey Privacy Notice.
For further information how McKinsey is using cookies in relation to the use or access of McKinsey Solutions, please see McKinsey’s Cookie Notice.
Additionally, please note that McKinsey Solutions may include links or directions to third party websites or information (e.g., an article posted on another website). If you use these links, you will leave the Solution that you are using. Such links do not constitute or imply an endorsement, sponsorship, or recommendation by McKinsey of the third party, the third-party website, or the information contained therein, and McKinsey shall not be responsible or liable for your use thereof. Such use shall be subject to the terms of use and privacy policies applicable to those sites.
In addition, where you use the Solution through a website, application, or platform (“Platform") operated by a third-party (a "Mobile Platform Provider") where, for the purpose of your access to the Platform, you are required to share data to the Mobile Platform Provider, for example, to create user credentials allowing you to use their platform to access the Mobile Offering (e.g., logging into an app store), that personal data is stored outside of McKinsey's control and will be subject to the relevant Mobile Platform Provider’s own terms and privacy policies.