PRIVACY POLICY FOR CALIFORNIA EMPLOYEES

          Last Updated and Effective as of January 1, 2023

 

Chick-fil-A, Inc. (“we”, “Company” or "CFA") is committed to protecting the privacy and security of personal information of its current and former California employees (“Employees” or "you") as well as emergency contacts, dependents and beneficiaries in compliance with applicable law.  We collect information about you and your emergency contacts, dependents, and beneficiaries ("personal information") in connection with CFA's human resources, employment, benefits administration, health and safety, and other purposes, as outlined in this Privacy Policy for California Employees ("Privacy Policy").  We do not sell or share, and in the past 12 months have not sold or shared, personal information as defined under applicable law, including personal information of individuals we know to be under 16 years of age.

 

If you have any questions about this Privacy Policy or need access to this Privacy Policy in an alternative format for accessibility, please contact us by emailing TalentPrivacy@chick-fil-a.com or calling 1 (833) 907-3207.  This Privacy Policy may be updated from time to time to reflect changes in our personal information practices, and we will notify you of any such changes pursuant to applicable law.

 

1.     What Categories of Personal Information Do We Collect From Employees?

 

We collect, and within the past 12 months have collected, the following categories of personal information from our Employees, from devices used to access our IT systems, and through our service providers such as data analytics providers and benefits providers.  We may have collected the following information about you, depending on factors like your role and the information you have voluntarily provided.

 

Category	Examples
A. Identifiers.	Name; address; personal identifiers like ID numbers, including governmental information numbers (like Social Security Number)*; online identifiers such as IP address or tracking ID; email addresses; and account or user names.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	The “identifiers” listed above; date of birth or birthday; signature; photographs; vehicle information; financial information like account number, access information, statements, credit history (depending on the role), pensions and investment; insurance information; family information like names and contact details; and medical information you provide to Chick-fil-A.
C. Protected classification characteristics under California or federal law.	Information provided via voluntary submission, including gender, marital status, pregnancy, medical condition and/or disability status, national origin and status, or military status; race/ethnicity (primarily via voluntary self-identification)*; information related to a family member’s health condition for purposes like requesting leave; and age.
D. Commercial information.	Purchasing or consuming histories or tendencies obtained from background or credit history checks, if applicable.
E. Biometric information.	None collected.
F. Internet or other similar network activity.	Activity information on Chick-fil-A-issued devices, like IP address; tracking ID; history information; interactions with websites or applications; and preferences.
G. Geolocation data.	Specific location information from apps, websites, or equipment used in employment on Chick-fil-A-issued devices, for instance, for cybersecurity purposes.
H. Sensory data.	Audio information like voicemails or meeting audio recordings; visual information such as photographs; or other similar information.
I. Professional or employment-related information.	Employment history; educational background; qualifications; technical skills; professional memberships and certifications; language capabilities; references, recommendations and interview notes; areas of interest, work preferences, desired salary, or availability; relationship to CFA Employees or Franchised Operators; travel information; reimbursement and expense details; pre-employment test results, reference checks, or background checks (as applicable based on the role); application information; start date, title/position, business unit, location and management information; employment status and class of employment; job duties and assignments; contact details; performance, discipline, and training records; complaints and related information; survey responses; emergency contact information; dietary and allergy information; compensation records and history; hours worked, time off, and payroll records; work schedule; awards and accomplishments; health and safety information; benefits information (including information about eligible dependents and beneficiaries); separation date, reason and other related information; taxation and work authorization information; and any information needed to comply with reporting or other legal obligations.
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Application information and resumes, transcripts, training history, degrees, performance, and languages spoken.
K. Inferences drawn from other personal information.	Inferences about job-related items such as work preferences or style.
L. Sensitive Personal Information	Information with an asterisk (*) above indicates sensitive personal Information. Please note we do not collect sensitive personal information for the purpose of inferring characteristics about Employees.

 

To the extent we or our third-party service and/or benefit providers collect additional categories of information beyond those described above, additional notice will be provided, and we or our third-party service and/or benefit providers will ask for Employee consent before collecting such additional categories of personal information, as required by law.

Personal information does not include information: (a) excluded from the scope of personal information under applicable law, (b) publicly available information or (c) deidentified or aggregate information.

2.    How Do We Use Employee Personal Information?

 

Personal Information collected from or about Employees is used for the following business purposes:

 

1. General Personal and Position Information.  We collect and use this type of information to onboard new Employees, for training and development, to manage our employment relationships, to foster a culture of care, and to comply with applicable laws.  The general personal and position information outlined in this section may also be used for purposes identified below and in accordance with applicable laws. 

 

1. Pay and Expense Information.  We collect and use this type of information to pay and reimburse Employees and to comply with applicable laws.

 

1. Benefits Enrollment and Administration Information.  We collect and use this type of information for enrollment in and administration of the Company's benefits for Employees and dependents and beneficiaries, to provide reasonable accommodations and leaves of absence, and to comply with applicable laws.

 

1. Performance Management Information. We collect and use this type of information to manage our employment relationship with Employees.

 

1. Health and Safety Information.  We collect and use this type of information to assess working capacity, administer Workers’ Compensation insurance programs, comply with state and federal occupational safety and health regulations, standards and guidance, comply with public health authority guidance, and comply with applicable laws.

 

1. Workplace Security and Electronic Communications Information.  We collect and use this type of information to protect the Company, Staff, Customers, and Employees; property, equipment, and confidential information; and to enforce the Company’s policies, including the Chick-fil-A Cybersecurity Policy.

 

1. Legal Compliance Information. We collect and use this type of information to address legal compliance obligations.

 

1. Other Business Purposes.  We also collect and use information for the following business purposes:  

 

(1) Helping to ensure security and integrity to the extent the use of the Employee’s personal information is reasonably necessary and proportionate for these purposes.

 

(2) Debugging to identify and repair errors that impair existing intended functionality.

 

(3) Short-term, transient use, provided that the Employee’s personal information is not disclosed to another third party and is not used to build a profile about the Employee or otherwise alter the Employee’s experience outside the current interaction with the business.

 

(4) Performing services on behalf of CFA.

 

(5) Undertaking internal research for technological development and demonstration.

 

(6) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for, or controlled by CFA, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by CFA.

 

While relatively uncommon, there may be occasions when we use personal information of Employees for other purposes permitted under applicable law, for example, when we are required to disclose information in connection with contractual or legal matters such as information necessary to respond to law enforcement and governmental agency requests (i.e., subpoenas); comply with contractual obligations; exercise legal and contractual rights; and initiate or respond to legal claims. 

 

In certain instances, we may maintain and use information in deidentified form.  If we do so, we do not attempt to reidentify the information, except for the sole purpose of determining whether our deidentification processes satisfy the requirement under applicable law.

 

3.    What Categories of Emergency Contact Information Do We Collect, and How Do We Use This Information?

 

We collect the following categories of personal information for the purposes described below:

• Identifiers such as name and contact information; and
• Additional types of information described in California Civil Code § 1798.80(e) such as relationship to Employee.

 

We collect this information to contact the Employee’s designated emergency contact persons in the event of an emergency.

 

4.    What Categories of Dependent and Beneficiary Information Do We Collect, and How Do We Use This Information?

 

We collect the following categories of personal information of Employee dependents and beneficiaries for the purposes described below:

• Identifiers such as name, contact information, and Social Security Number; and
• Additional types of information described in California Civil Code § 1798.80(e) such as birthday, relationship to Employee, and information necessary to process benefits claims.

 

We collect and use this information for enrollment in and administration of benefits programs for Employee dependents and beneficiaries.

 

5.    How Do We Disclose Personal Information of Employees?

 

Some personal information, such as Employee contact information, may be disclosed to the Employees, independent contractors, or agents of CFA and our affiliates with access to @CFA.  Employee personal information may also be collected by or disclosed to IT service providers, travel agencies, and third-party service providers. We disclose, and in the past 12 months have disclosed, all categories of personal information we collect about Employees and their dependents and beneficiaries to these IT service providers, travel agencies, and third-party service providers so they can perform services on our behalf.  In addition, we disclose Employees’ business contact information such as work email addresses, work phone numbers, and street addresses to our suppliers and business partners so they can contact our Employees and perform services on our behalf.

6.    How Long Do We Retain your Personal Information?

 

We retain and process Employee personal information for the length of time needed to carry out the purposes described in this Privacy Policy.  We also retain Employee personal information for related business purposes, and to the extent necessary to manage our relationships with Employees, comply with our legal obligations, resolve disputes, and enforce our agreements, consistent with our retention policy and as permitted by applicable law. 

7.     What Rights Do You Have Under California Privacy Law?

 

California residents have certain rights related to personal information, including:

 

• The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you.
• The right to request that we delete personal information collected from you.  However, please note that we may deny your deletion request, as permitted under applicable law, because we maintain and use personal information of Employees for the length of time needed to carry out the purposes described in this Privacy Policy.
• The right to request that we correct inaccurate personal information we maintain about you.

You may request to exercise these rights by:

• Calling us toll-free at (833) 907-3207; or
• Completing our privacy rights request form.

 

Please note that we will take steps to verify your identity before granting you access to information or acting on your request to exercise your rights as required by applicable law. We may require you to provide your name, email address, street address, phone number, date of birth, last line reporting manager, and/or the last 4 digits of your Social Security number, as applicable, to verify your identity in response to exercising requests of the above type. We may limit our response to your exercise of the above rights as permitted under applicable law. When you submit a request to exercise your rights above, we will use the information you provide to process your request and to maintain a record of your request and our response, as permitted under applicable law.

8.    How Can Your Authorized Agent Exercise Your Rights On Your Behalf?

 

You may designate an authorized agent to make a request on your behalf. You may make such a designation by providing the agent with written permission to act on your behalf. We will require the agent to provide proof of that written permission. We may also require you to verify your own identity in response to a request, even if you choose to use an agent, to the extent permitted by law.

9.    Non-Discrimination 

We will not discriminate against you because of your exercise of any of the above rights or any other rights, and we will comply with the obligations under the California Consumer Privacy Act.  For example, we will not retaliate against you for exercising your rights under applicable law.

10.  What Is Our Privacy Policy for Customers?

 

We respect the privacy of both our Employees and Customers.  CFA's privacy policy that applies to our Customers, prospective Customers and other third parties is located at: https://www.chick-fil-a.com/legal#privacy_policy.