DATA PROTECTION & PRIVACY NOTICE

1. Purpose of this Notice

The McCormick Hotline (“Hotline”) provides you with a confidential method to report issues or concerns in accordance with our Business Ethics Policy, policies, or certain matters specified in an applicable whistleblowing law.

The purpose of this Hotline Privacy Notice ("Notice") is to describe how McCormick & Company, Incorporated and relevant affiliates (“McCormick,” “we,” “our,” or “us”) process any personal information that you provide when you report possible violations of our Business Ethics Policy, policies, or certain matters specified in an applicable whistleblowing law via the Hotline operated on our behalf by NAVEX, Inc. (referred to as “NAVEX” in this Notice).

In certain countries, you may only make reports in relation to limited topics as permitted by local laws. In addition, some countries may require that only employees in key or management functions may be the subject of a report. The online form or contact center will guide you as to the nature of the report that you may make in the country where you are based.

Where permitted by applicable law, we provide mechanisms for anonymous reporting. In some countries, anonymous reporting is not permitted. We generally encourage you to identify yourself in order for us to follow up with questions we may have so that we may investigate your concerns. However, you should feel free to report anonymously if permitted by applicable laws. We will treat your personal information with respect and will take reasonable steps to treat your personal information confidentially, consistent with this Notice.

If you wish to issue a report via another channel or if you are not permitted by local law to issue your report via the Hotline, then please contact us:

  • If you are an employee, please speak to your supervisor or manager or to a representative of the Human Relations, Legal or Corporate Compliance Departments, depending on the nature of the possible violation.
  • If you are not an employee of McCormick, you may notify your McCormick contact or McCormick’s General Counsel per the instructions provided in our Business Ethics Policy.

You will be prompted to acknowledge your understanding of this Notice before you can proceed to make a report (see Section 10).

2. About the Hotline

The Hotline is a web- and phone-based reporting system provided by McCormick to its employees, vendors, suppliers, and business partners, and those of its subsidiaries (“Reporters”) for making reports about possible violations of laws, regulations, our Business Ethics Policy, or other policies. In certain countries, such as the United States, the Hotline may also be used to report suspected violations of other matters.

McCormick is the controller of the processing, and NAVEX is a processor, acting on behalf of McCormick. You may contact McCormick with any questions relating to this Notice or this service using the details provided in the Contact Us section below.

The Hotline is operated in the United States by NAVEX, which also hosts the database in which the personal information that you may provide is stored. Use of the Hotline is entirely voluntary. You are encouraged to report possible violations directly to your supervisor or manager, or to a representative of the Human Relations, Legal or Corporate Compliance Departments, depending on the nature of the possible violation. If you feel that you are unable to do so, you may use the Hotline to make your report.

The information you supply about yourself, your colleagues, or any aspect of McCormick's operations may result in decisions that affect others. Therefore, we ask that you only provide information that you believe is true. You will not be subject to retaliation from McCormick for any report of a suspected violation that is made in good faith, even if it later turns out to be factually incorrect. Please be aware, however, that knowingly providing false or misleading information will not be tolerated.

3. Personal Information Collection

The categories of personal information we collect from you in the context of the Hotline include the following:

  1. identifiers, such as your name and contact details (unless you report anonymously, where permitted).
  2. employment information, including your employment details such as your position/title, location and work contact details;
  3. cookies or other device tracking technologies (note that we use such technologies only to support Hotline functionality during the course of your session and that the information is deleted when you close your browser);
  4. to the extent that your report involves identifying other individuals, in accordance with applicable law, the name, position/title and contact details of other persons you name in your report together with a description of the alleged misconduct, your opinions about them and a description of the circumstances of the incident which may include alleged criminal behavior; and
  5. additional information that you provide in your report, which may include special categories of information such as trade union membership, health information, or information regarding criminal activities.

4. Purposes of and Legal Bases for Use of Personal Information

We will use this personal information to:

  1. investigate the subject matter of your report and to take appropriate follow-up action, in accordance with applicable law.
  2. comply with and assess compliance with legal obligations to which we are subject.
  3. comply with and assess compliance with our policies and procedures.
  4. unless you submit an anonymous report, where permitted, contact you in connection with our investigations.
  5. exercise our legal rights, for example to detect, prevent and respond to allegations made in your report, or violations of law.
  6. carry out monitoring of the use of this service in accordance with applicable law.

Some jurisdictions require that we have a legal basis to process your personal information. In most cases the legal basis will be one of the following:

  1. to meet our legal and regulatory obligations as an employer, for example to meet our obligations under health and safety laws, and to third parties, such as the tax authorities; or
  2. to meet our legitimate interests, for example, to protect against theft or other crime. When we process personal information to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected and to ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms. For more information about the balancing test that we carry out to process your personal information to meet our legitimate interests, please contact us as stated in the Contact Us section below.

5. Information Sharing

We may share your personal information with third parties in the following circumstances:

  1. We share personal information with NAVEX, the third-party service provider that operates the Hotline and associated services on our behalf. Your personal information will be stored in a database which is located on servers hosted and operated in the United States by NAVEX. The database may be accessed for the purpose of providing technical support in the provision of the service by technical staff at NAVEX;
  2. We will share your personal information with authorized McCormick and McCormick Group personnel who need access for the purposes described above, including personnel from the following departments: Human Resources/Human Relations; Global Enablement (GE); Information Technology; Legal; Accounting; Tax and Finance; Treasury; Travel & Expense; Management Committee; and Internal Audit and external advisors (e.g. legal advisors);
  3. We may share personal information with advisors and consultants, law enforcement or other government authorities for purposes of investigating reports, complying with legal obligations, or protecting others;
  4. We may share personal information in connection with a corporate restructuring, sale, or assignment of assets, merger, divestiture, or other changes of control or financial status of McCormick (or any members of the McCormick Group) to potential investors, their auditors, and legal counsel; and
  5. When permitted by law to protect and defend our rights and property.

Because we operate as part of a global business, the recipients referred to may be located outside the jurisdiction in which you are located (or where the service is provided). See the section on ‘Transfers of Personal Information' for more information.

6. Information Security and Personal Information Retention

We have implemented generally accepted standards of technical and organisational security to protect personal information from loss, misuse, alteration or destruction. We limit access to the personal information collected via the Hotline. And we require employees to keep personal information confidential.

We will keep your personal information for a period of time that enables us to:

  1. investigate the report that you make;
  2. maintain business records for analysis and/or audit purposes;
  3. meet our regulatory requirements;
  4. comply with record retention requirements under applicable law;
  5. defend or bring any existing or potential legal claims; and
  6. deal with any complaints.

If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of the information.

7. Your Rights

We strive to ensure that information we have about you is accurate and current. However, it is your responsibility to ensure the accuracy of the information you provide to us. If you want to review the personal information you have provided to us, or believe that the information we have about you is inaccurate, you may access the appropriate system to view, delete, correct, or update your information, in the terms described below.

If you reside in the European Union, the UK, or certain other jurisdictions, you are entitled to receive confirmation from us acknowledging whether we are processing your personal information and, where applicable, to request access to the personal information in addition to certain information regarding the processing thereof (e.g. purposes, categories of the personal information subject to processing and recipients etc.) (right to access). You are entitled to request that we rectify/update inaccurate personal information (right to rectification) and to erase your personal information when, among other reasons, it is no longer necessary for the purposes for which it was collected (right to erasure). In specific cases (e.g. if you challenge the accuracy of the personal information, while this is being checked), you can request a restriction on the processing of your personal information, which can only be processed to file or defend claims (right to restriction of processing). You have the right to lodge a complaint with a supervisory authority (right to lodge a complaint). Finally, you can also exercise the right to data portability, i.e. receive the personal information in a structured, commonly used and machine-readable format, and the right to transmit such data to another controller without hindrance from us where legally permitted for such purposes (right to data portability).

In addition to the aforementioned rights, you are entitled to object, at any time, for reasons related to your particular situation, to our processing of your personal information based on our legitimate interests or those of a third party, in which case we will cease in processing your personal information unless applicable laws permit continued processing, such as where the processing is needed to establish, exercise, or defend legal claims. You may also have a right to request information on the appropriate safeguards we put in place in association with international transfers of personal information.

Moreover, and in connection with those scenarios where you have given your consent to a particular type of processing in relation to your personal information, you may withdraw such consent at any time. The withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of the above rights, or to inquire about the rights you may have, please contact us as stated in the Contact Us section below.

8. Transfers of Personal Information

Your personal information may be transferred to, stored, and processed in a country other than the one in which it was provided, such as the United States. We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable data protection laws to ensure that your personal information is adequately protected.

Your report and your details may be held on the secure servers of NAVEX located in the United States and may be transferred to NAVEX sub-processors outside the United States for service and support or translation and interpretation purposes, subject to appropriate safeguards.

9. Contact Us

If you have any questions about this Notice or would like to request enforcement of your rights under applicable data protection law, please contact:

10. Acknowledgement

I have read and understand how my personal information and the personal information that I provide about third parties will be used when I make a report of the nature described in this Notice.