Privacy Notice for California Employees
CALIFORNIA LAW REQUIRES THAT WE PROVIDE YOU THIS NOTICE ABOUT THE COLLECTION AND USE OF YOUR PERSONAL INFORMATION. WE ENCOURAGE YOU TO READ IT CAREFULLY.
Effective Date: July 1, 2023
1. Introduction
This notice (“Notice”) describes the categories of personal information that The Habit Restaurants, LLC and its subsidiaries and affiliates, (“Company”, “we”, “us” and “our”) collects about our employees who are California residents, and how we use and disclose that information. California Notice at Collection. You can find our CCPA Notice at Collection below for employees who are California residents.
This notice applies to personal information collected about you in your capacity as an employee. See our California Privacy Policy for more information about how we use your information, and our Privacy Policy for information about our practices when you interact with us offline or online in the same manner that a website visitor or other non-employee may interact with us.
For purposes of this Notice, “personal information” and “sensitive personal information” have the meaning given in the California Consumer Privacy Act of 2018 (as amended, the “CCPA”). This Notice does not create or form part of any employment contract. If you have questions about this Notice, please contact HBGPrivacy@yum.com.
2. California Notice at Collection
The two charts below summarize the personal information we collect from employees by reference to the categories of personal information and sensitive personal information specified in the CCPA (Cal. Civ. Code §1798.140) and describes our practices currently and during the 12 months preceding the effective date of this Notice. The terms in the charts refer to the categories of information, categories of sources, purposes for collection, and categories of third parties to whom we disclose personal information and sensitive personal information that are described in further detail in this Notice. Information you voluntarily provide to us may contain other categories of personal information not described below.
See Section 4.3 below for information on how long we retain your information. See Section 5 below for information on your California consumer rights.
Personal Information
| Personal Information we Collect | CCPA statutory category | Categories of third parties to whom we disclose PI for a business purpose | Categories of third parties to whom we “sell” or “share” PI |
|---|---|---|---|
| Contact information |
|
|
N/A |
| Immigration status |
|
|
N/A |
| Biographical information |
|
|
N/A |
| Professional qualifications |
|
|
N/A |
| General employment information |
|
|
N/A |
| Compensation, benefits, and payroll information |
|
|
N/A |
| Performance information |
|
|
N/A |
| Information about related persons |
|
|
N/A |
| Credentials, technology, access, and systems information |
|
|
N/A |
| Expenses and travel information |
|
|
N/A |
| Healthcare, welfare, and medical information |
|
|
N/A |
| Information needed to evaluate accommodations |
|
|
N/A |
| Data derived from the above | Inferences |
|
N/A |
| Social security, driver’s license, state identification card, and/or passport number |
|
|
N/A |
| Account log-in data |
|
|
N/A |
| Racial or ethnic origin, religious or philosophical beliefs, and/or union membership |
|
|
N/A |
| Biometric information |
|
|
N/A |
| Mail, email and text message contents |
|
|
N/A |
| Health data | Information concerning a person’s health |
|
N/A |
| Sex life/sexual orientation data | Information concerning a person’s sex life or sexual orientation |
|
N/A |
3. Information we collect about employees
3.1 Categories of personal information
Below are categories of personal information we may collect and process before, during and after your
employment. For each category listed, the CCPA requires us to identify the statutory category under Cal.
Civ. Code Section 1798.140(v)(1) to which it corresponds. These statutory categories are listed as
“California categories” in the California Notice at Collection chart in Section 2.
- Contact information, such as your work and home address, telephone number, email address and social media handles;
- Identification information, such as your social security number, government-issued identification information (e.g., driver’s license, passport), photographs, or other similar identifiers;
- Immigration status and other information that would allow us to verify your employment eligibility;
- Biographical information, such as name, gender, date of birth, professional history, language proficiencies, professional qualifications, references, education details, information in your company biography, social media profiles and activity, and your photo;
- Professional qualifications, such as professional designations, licensure information, memberships, leadership positions, credentials, professional qualifications and continuing education information;
- General employment information, such as department, work location, job title, dates of employment, work status (e.g., full-time/part-time), any terms or conditions of employment, work history (current, past, or prospective), timekeeping information, personnel and disciplinary records, training and learning program participation, information necessary to complete background checks, drug and/or alcohol tests, and other screens permitted by law, and other information reasonably necessary to administer the employment relationship with you, including without limitation information related to absence administration, workers’ compensation matters and emergency services;
- Compensation, benefits and payroll information, such as salary and bonus details, benefits information (including information regarding health insurance, retirement savings), equity award information, bank account information and working time records (e.g., vacation and absence records, sick leave, leave status, and hours worked);
- Performance information, such as management metrics, performance evaluations, feedback, and promotion history;
- Information about related persons, such as your spouse, domestic/civil partner, dependents, beneficiaries and emergency contacts;
- Credentials, technology, access and system information, such as your Company email address, usernames, passwords, and keycard number; information about your use of, as well as content and communications you send and receive through, devices, Company communications, IT systems and applications (e.g., time of use, files accessed, search history, web pages viewed, IP address, device ID, device location); and information about your access to and location within offices and facilities (e.g., keycard scans and security camera footage);
- Expenses and travel information, such as information about your business travel and other business expenses;
- Health care, welfare, and medical information, such as information related to employee or their eligible dependent’s participation in wellness and employee assistance programs, executive physicals and health insurance programs and your body temperature, vaccination status, health symptoms and other screening and tracking information (including travel information, participation in health education programs, and information about your related persons) in connection with the Company’s health and safety plans and protocols, including screening required to access Company offices/facilities and other measures designed to prevent the transmission of COVID-19 or other infectious diseases (such as contact tracing, your recent in-office activities, or test results);
- Biometric information, such as your fingerprint, retinal or facial scans when you use our biometric timekeeping or security systems;
- Information needed to evaluate accommodation requests regarding potential disabilities or other health conditions; and
- Other information you provide to us, such as your feedback and survey responses where you choose to identify yourself.
In certain cases, we may ask you for additional information for purposes of monitoring equal opportunity and/or complying with applicable laws. We may also inquire about criminal and/or credit records. We will do so only where permitted by applicable law.
3.2 Sensitive personal information and protected classification characteristics
With the possible exception of “contact information”, the categories above include, or contain information from which it may be possible to infer, sensitive personal information and characteristics of protected classifications under California or federal law if applicable. However, we do not use or disclose sensitive personal information in ways subject to the right of California residents to limit use of sensitive personal information under the CCPA. See Section 2 (California Notice at Collection) for additional details and categories of sensitive personal information that we collect, use and disclose.
3.3 Sources of personal information
We collect personal information from you during your candidacy for a job, and during and after your employment.
We may also collect your personal information from various other sources and combine it with the personal information you provide to us. For example, we may collect your personal information from:
- job board websites you may use to apply for a job with us;
- providers of services that we make available to our employees as part of our benefits program;
- prior employers, when they provide us with employment references;
- professional references that you authorize us to contact;
- providers of background check, credit check, or other screening services (where permitted by law);
- your public social media profiles or other publicly available sources;
- employment agencies or recruiters;
- your related persons who chose to communicate with us directly;
- Company communications and IT systems/applications that automatically collect information about, and transmitted by, users; and
- other Company personnel.
This section generally describes our practices currently and during the preceding 12 months. You should assume that each category of personal information we collect may have been collected from each category of sources listed above in this section.
4. How we use personal information of employees
4.1 Purposes for which we use personal information
We may use the categories of personal information above for the following purposes:
- Workforce management. Managing work activities and personnel generally, such as:
- recruiting, interviewing and evaluating job candidates and employees;
- administration of payroll, wages and other compensation;
- granting and administering equity awards, bonuses, commissions and other incentive awards;
- administering and evaluating employee benefits, including healthcare, pensions, retirement and savings plans and loans;
- maintaining contact details of your designated dependents and beneficiaries and communicating with them as necessary in the administration of your employee benefits and awards;
- maintaining contact details of your designated emergency contacts and communicating with them as necessary in emergencies;
- administering and evaluating vacation, paid time off, sick leave, and other leaves of absence;
- performance and compensation evaluation and promotions;
- providing training and career development opportunities;
- administering employee transfers, reassignments and secondments;
- conducting employee surveys and soliciting employee feedback;
- performing background, reference, or credit checks;
- managing disciplinary matters, grievances and terminations;
- administering business expense tracking, reimbursements and travel;
- assisting with obtaining an immigration visa or work permit;
- improving our application and/or recruitment process, including improving diversity;
- accommodating disabilities or health conditions;
- providing information technology resources and support;
- maintaining internal employee directories;
- communicating with you;
- otherwise administering our employment relationship with you; and
- analyzing our workforce and information relating to any of the activities above.
- Business operations. Operating and managing our business, including managing communications and IT systems; research, development and operation of our products and/or services; managing and allocating Company assets and personnel; strategic planning and project management; business continuity; maintenance of business and audit records; budgeting, financial management and reporting; internal communications; promoting our business; physical and information security; health and safety, including the personal safety and security of employees, contractors, vendors and other visitors; and evaluating and undergoing mergers, acquisitions, sales, re-organizations or disposals and integration with purchasers.
- Compliance, safety and protection. Complying with legal and other requirements, such as tax, audit, recordkeeping, reporting, verifying identity and eligibility to work, and equal opportunities monitoring requirements; complying with lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; protecting our, your or others’ rights, safety and property, including by complying with applicable public health guidelines and requirements, including, without limitation, guidance from the Centers for Disease Control or other public health authorities relating to the prevention and control of COVID-19 or other infectious diseases; investigating and deterring against fraudulent, harmful, unauthorized, unethical or illegal activity, or conduct in violation of our policies or procedures; pursuing legal rights and remedies, including investigating, making and defending complaints or legal claims; administering and enforcing internal policies and procedures; and disclosing information to government authorities, law enforcement, courts or private parties for the foregoing purposes.
- Monitoring. Monitoring offices and facilities, IT and communications systems, devices, equipment and applications through manual review and automated tools such as security software, website and spam filtering software, mobile device management software, and controlling access to and monitoring our physical premises (e.g., by requiring health screenings to access offices/facilities and using security cameras and keycard scans) to protect our, your or others’ rights, safety and property; operate, maintain and protect the security of our network systems and devices; protect our proprietary and confidential information and intellectual property; for recordkeeping and archiving; for personnel training and/or performance management; for the compliance, safety and protection purposes described above; to investigate and respond to security and other incidents; and for business continuity (such as monitoring business-related emails following an employee’s departure).
- Analytics. Creating anonymous, aggregated or de-identified data that we use and disclose to analyze our workforce and business and for other lawful business purposes.
4.2 Disclosing personal information
We may disclose your personal information with the following parties for the purposes described above:
- Affiliates. Our corporate parent, subsidiaries, and other affiliates under the control of our corporate parent, for purposes consistent with this Notice or to operate shared infrastructure, systems and technology.
- Company service providers. Providers of services to the Company, such as payroll administration, benefits and wellness, human resources, occupational health, performance management, training, expense management, travel agencies, transportation and lodging, IT systems and support, information and physical security, background checks and other screenings, equity award administration, corporate banking and credit cards, health care, trade associations, insurance brokers, claims handlers and loss adjusters, and any necessary third party administrators, nominees, registrars or trustees appointed in connection with benefits plans or programs.
- Employee service providers. Providers of services to eligible employees as part of our employee benefits program (e.g., financial advisors, securities brokers, financial institutions and providers of health, fitness, wellness, childcare and concierge services) who need your information to verify your eligibility and provide you with services.
- Our marketing audience. Current and prospective customers and other business contacts with whom we disclose your Company contact details, bio, and other information you authorize us to diclose, including on our website or in other publicly available marketing materials and communications as part of our marketing activities.
- Government authorities, law enforcement and others. Government authorities, law enforcement, courts, and others as described in the compliance, safety and protection section above.
- Business transfer participants. Parties to transactions and potential transactions whereby we sell, transfer or otherwise disclose some or all of our business or assets, including your personal information, such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
- Professional advisors. Accountants, auditors, lawyers, insurers, bankers, and other outside professional advisors who require your information in the course of providing their services.
- Customers and business partners. Customers, other companies and individuals with whom the Company does business or is exploring a business relationship.
- Other parties not listed above but that are identified at or before the point at which we collect your personal information along with the purposes for which the information will be disclosed.
4.3 Retention
We will retain each category of personal information identified above as long as reasonably necessary to fulfill the purposes for which we collected it, to meet legal and accounting obligations, and for the other purposes described in this notice, or as otherwise required or permitted by law. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. When we no longer require the personal information, we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymize your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.
5. California privacy rights
5.1 Your California privacy rights
California residents have the rights listed below under the CCPA. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
- Information. You can request the following information about how we have collected and used your personal information during the past 12 months:
- The categories of personal information that we have collected.
- The categories of sources from which we collected personal information.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties to whom we disclose personal information for a business purpose.
- The categories of personal information that we sold or shared.
- The categories of third parties to whom the personal information was sold or shared.
- Access. You can request a copy of the personal information that we have collected about you.
- Deletion. You can ask us to delete the personal information that we have collected from you.
- Correction. You can ask us to correct inaccurate personal data that we have collected about you.
- Opt-out of sales or sharing of personal information. California residents can opt-out of any “sale” or “sharing” of personal information as such terms are defined under the CCPA. We do not sell or share personal information of employees collected in the employment context and have not done so in the preceding 12 months. However, we encourage you to review our Privacy Policy for information about the sale or sharing of personal information that may occur when you interact with us offline or online in the same manner that a website visitor or other non-employee may interact with us.
- Limit the use or disclosure of sensitive personal information. California residents can limit the sharing or disclosure of sensitive personal information for reasons other than those described in § 7027 of the CCPA. We do not share or disclose sensitive personal information regarding employees collected in the employment context beyond those purposes. However, we encourage you to review our Privacy Policy for information about the sharing or disclosure of sensitive personal information we may collect when you interact with us offline or online in the same manner that a website visitor or other non-employee may interact with us.
- Nondiscrimination. You are entitled to exercise the rights described above free from discrimination as prohibited by the CCPA, including exercising such rights without retaliation.
5.2 How to exercise your California privacy rights
You may submit requests to exercise your rights through our internal employee Oracle portal, by emailing HBGPrivacy@yum.com using your work email address, by filling out our California Data Subject Request webform, or by calling our toll free number 1-800-822-6235. Submitting your request through such channels allows us to verify your identity as required by the CCPA. As such, we cannot accept requests through other channels. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it. We reserve the right to confirm your current California residency.
Your authorized agent may make a request on your behalf upon our verification of the agent’s identity and our receipt of a copy of a valid power of attorney given to your authorized agent pursuant to California Probate Code Sections 4000-4465. If you have not provided your agent with such a power of attorney, you must provide your agent with written and signed permission to exercise your CCPA rights on your behalf, provide the information we request to verify your identity, and provide us with confirmation that you have given the authorized agent permission to submit the request.
6. Third parties
This Notice does not address, and we are not responsible for, the practices of any third parties, which have their own rules for how they collect and use your personal information. Our links to third party websites or services are not endorsements.
7. Changes to this Notice
We reserve the right to change this Notice at any time. The “Effective Date” heading at the top of this Notice indicates when it was last revised. Any changes will become effective when we post notice of the revision on our privacy policy.
8. Your obligations
It is your responsibility to ensure that information you submit to the Company does not violate any third party’s rights. You should keep your personal information on file with the Company up to date and inform us of any significant changes to it.