UPDATED JANUARY 2023

Sysco Global Data Privacy Notice

Sysco respects your privacy and understands that you care about how your personal data is managed. This Global Data Privacy Notice (this “Privacy Notice”) explains how we collect, protect, use, store and share your personal data (defined below) when you contact us, visit any of our websites (regardless of where you visit from), use our applications or have other interactions with us such as via our contact centres, social media profiles or webchat which are used by our customers, suppliers, employees, contractors, website visitors, social media users, and business partners to complete transactions, conduct other business and manage their accounts.

Translated Versions

Sysco Global Data Privacy Notice in Multiple Languages: 

Spanish - Latin America

Chinese

French Canadian

French

Swedish

PURPOSE AND SCOPE OF THIS NOTICE

Sysco respects your privacy and understands that you care about how your personal data is managed. This Global Data Privacy Notice (this “Privacy Notice”) explains how we collect, protect, use, store and share your personal data (defined below) when you contact us, visit any of our websites (regardless of where you visit from), use our applications or have other interactions with us such as via our contact centres, social media profiles or webchat which are used by our customers, suppliers, employees, contractors, website visitors, social media users, and business partners to complete transactions, conduct other business and manage their accounts.

WHO WE ARE & HOW TO CONTACT US

Sysco operates globally including in the United States, Canada, and countries within Europe, Central America, and the Caribbean, and serves more than 650,000 customer locations. “Sysco” is made up of different businesses, details of which can be found here: https://sysco.com/Contact/Contact/Our-Locations.html.

This Privacy Notice is issued on behalf of the Sysco group of companies, so when we refer to “Sysco”, “we”, “us” or “our” in this Privacy Notice, we are referring to the relevant company in the Sysco group of companies with whom you interact and who determines the purpose and means of managing your personal data, sometimes referred to as the Data Controller.

Sysco’s Global Data Privacy Officer oversees Sysco’s compliance with data privacy laws and can be contacted via dataprivacy@sysco.com

NOTICE STATEMENT

Sysco is a global company, and your personal data is processed in accordance with relevant and appliable global, national and local data privacy laws and regulations, including but not limited to the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (UK GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the Personal Information Protection and Electronic Documents Act (PIPEDA). Many of these laws and regulations require Sysco to explain how we collect, protect, use, store and disclose your personal data when you interact with us.

If you are an employee or contractor of Sysco, please see the Global Employee Data Privacy Notice for more details about how Sysco manages your personal data.

THE PERSONAL DATA WE COLLECT AND WHY

Sysco may collect or ask you to provide your personal data when you interact or are in contact with us. Sysco will process your personal data in accordance with this Privacy Notice. You are not required to provide the personal data that we have requested, but, if you choose not to do so, in many cases we will not be able to provide you with our products or services or respond to any queries you may have.

The categories of personal data we may collect or process about you, the purpose for processing this personal data and the lawful basis is as follows:

“Personal Identifiers” means (including but not limited to): name, age, image, biometric data, business name, account name, address, unique personal identifier, IP address, email address, contact number, social media identifiers, social security number, driver’s license number, vehicle registration number, national insurance number, passport number, or other similar identifiers.

“Transactional Information” means (including but not limited to): name, age, business name, account name, username or other account access information, email address, contact number, shipping address, payment card information, banking information, order history, purchase information, purchase considerations, pick-up times, and geo-locations.

“Marketing, Promotions and Engagement Information” means (including but not limited to): name, age, business name, account name, unique personal identifier, IP address, email address, contact number, address, social media identifiers, order history, purchase information and geo-locations.

Type of Personal Data

Purpose / Activity

Lawful Basis (UK & EEA)

Personal Identifiers

Transactional Information

To evaluate and engage with prospective and current customers, suppliers and where relevant individual guarantors, and other business partners to determine suitability, including credit worthiness for account creation purposes and other business engagement.

Legitimate Interests

Contract

Personal Identifiers

Transactional Information

To engage with prospective and current customers, suppliers and other business partners to communicate relevant promotions, offers or opportunities that we think may interest them via email, phone, SMS or post, including offers from selected third parties.

Legitimate Interests

Marketing, Promotions and Engagement Information

Engagement via social media to drive brand awareness and brand engagement, and promote new products and services.

Legitimate Interests

Marketing, Promotions and Engagement Information

Administration of competitions and prize draws

Contract

Personal Identifiers

Transactional Information

Surveys and market research to determine the effectiveness of current services and the suitability and popularity of products and influence future products, services and promotions provided by Sysco.

Legitimate Interests

Personal Identifiers

Monitoring communications with customers, suppliers and other business partners for training and quality purposes

Legitimate Interests

Personal Identifiers

To evaluate and engage with prospective employees or contractors.

Legitimate Interests

Personal Identifiers

Transactional Information

To process transactions, including fulfilling orders, purchasing goods or services, with customers, suppliers and other business partners including arranging third-party logistics.

Contract

Personal Identifiers

Transactional Information

To manage payments, collect and recover money owed.

Contract

Personal Identifiers

Transactional Information

Aggregated reports – Sysco may combine personal data with other information to create aggregate or summary reports and may provide aggregate data to other parties for marketing, advertising, and other purposes. Service improvement - to help Sysco understand its customers and suppliers better including understanding the effectiveness of Sysco products and services and determining required improvements for business processes

Legitimate Interests

Transactional Information

Network and systems security, troubleshooting, system maintenance and data hosting. IT infrastructure security.

Legitimate Interests

Personal Identifiers

Safety and security of Sysco premises and sites for visitors, employees, customers, suppliers and other business partners through use of CCTV, vehicle monitoring, site inspections.

Legitimate Interests

Legal Obligation

 

“Legitimate Interests” means the interests of our business in conducting and managing our business to enable us to give you the best service and most secure experience.

When we use your information for our legitimate interests, we make sure to consider and balance any potential impact on you and your data protection rights. Where applicable, legitimate interest assessments are conducted to ensure that these rights are protected.

“Contract” means processing your personal data because it is necessary for a contract we have with your, or because you have asked us to take specific steps before entering into a contract with you.

“Legal Obligation” means processing your personal data because it is necessary to comply with a law that we are subject to.

SENSITIVE & SPECIAL CATEGORY PERSONAL DATA
SENSITIVE & SPECIAL CATEGORY PERSONAL DATA – FOR INDIVIDUALS IN THE UK & EEA

Under the GDPR and similar legislation, special category personal data means, personal data that divulges any of the following about an individual:

  • Racial or ethnic origin;

  • Political opinions;

  • Religious or philosophical beliefs;

  • Trade union membership; 

  • Genetic data; 

  • Biometric data (where used for identification purposes);

  • Health data; and, 

  • Sex life and sexual orientation data.

Sysco does not collect special category personal data about its customers, suppliers, website visitors, social media users, or other business partners.

SENSITIVE PERSONAL DATA – FOR CALIFORNIA RESIDENTS

Under the CCPA/CPRA, sensitive personal data includes any private information that divulges any of the following about a consumer (personal data is not considered sensitive personal data if it is publicly available):

  • Personal identification numbers, including social security, driver's license, passport, or state ID card numbers;

  • Account or debit or credit card numbers combined with passwords or codes that would enable access to the accounts;

  • Exact geolocation;

  • Racial origin, religious beliefs, or union membership;

  • Mail, email, or text message content unless the information was intentionally sent to the business;

  • Genetic data;

  • Biometric data when used to identify a consumer; and,

  • Health or sexual orientation data.

Sysco may collect very limited types of sensitive personal data about its customers, suppliers, website visitors, social media users, or other business partners as detailed in the PERSONAL DATA WE COLLECT AND WHY section. Should Sysco request this data, it will be made clear why and how we may use this type of data at the point of collection.

HOW WE COLLECT PERSONAL DATA

 

Sysco may collect personal data from its customers, suppliers, employees, contractors, website visitors, social media users, and business partners through any direct and indirect interaction with us, as set out below:

  • Through websites, applications, webchat and social media platforms;

  • Via telephone, through our contact centers, email communications and via mail;

  • Through cookies and similar internet monitoring technologies;

  • Via third parties, including service providers, suppliers and business partners and their websites; and

  • Through CCTV and other monitoring systems.

 

HOW WE USE COOKIES & SIMILAR TECHNOLOGIES

Cookies are small text files stored by your browser in your computer or on your device when you visit Sysco websites. Sysco and other companies, such as advertising networks, social media widgets, and analytics providers, use cookies and similar technologies (e.g., web beacons and web server logs) to distinguish you from other users of our website, help us to provide you with a good experience when you browse our websites and also allows us to improve our websites.

The information collected in this manner includes IP address, browser characteristics, device IDs and characteristics, operating system version, language preferences, referring URLs, pages visited, and other information about the usage of our websites or emails. The technology permits us to recognize users and avoid repetitive requests for the same information. The technology also assists us in identifying the types of browsers and operating systems used most by our customers, suppliers, website visitors, social media users, or other business partners and how website visitors move through the websites.

All this information enables us to improve Sysco’s websites and emails and tailor them to our customers’ suppliers, website visitors, social media users, or other business partners needs and preferences. We may also use this technology to track user trends and patterns in order to better understand and improve areas of our websites that our users find valuable.

We also reserve the right to use outside companies to display ads on our websites. These ads may contain cookies. Cookies received with banner ads are collected by such outside companies, and we do not have access to this information. These outside companies also may collect and combine information collected on our websites and emails with other information about your online activities over time, on other devices, and on other websites or apps, if those websites and apps also use the same partners.

We use the following cookies:

  • Strictly necessary cookies: These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.

  • Analytical or performance cookies: These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

  • Functionality cookies: These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

  • Targeting cookies: These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

We currently use Google Analytics to collect and process certain website usage data. To learn more about Google Analytics and how to opt out, please visit https://policies.google.com/technologies/partner-sites. You may be able to change browser settings to block and delete cookies when you access our websites through a web browser. However, if you do that, our websites may not work properly. Our websites do not respond to browser do-not-track signals.

When you opt out of personalized advertising, you may continue to see online advertising on Sysco’s websites and/or our ads on other websites and online services.

HOW WE SHARE PERSONAL DATA

Sysco may share your personal data within its group of companies and brands. We may also provide access to or share your personal data with other parties for the purposes set out in the PERSONAL DATA WE COLLECT AND WHY Section above. These parties include:

  • External third parties such as service providers, suppliers and/or other business partners who process personal data on our behalf.

  • Government agencies, regulators or other public authorities where disclosure is required by applicable law.

  • Third parties who we may be interested in acquiring or merging with, or where we may seek to sell, transfer or finance parts of our business or assets.

  • Third party platforms, websites or social media channels. For example, this may include user content from message boards, product reviews, feedback portals or other interactive or social aspects. Sysco may choose to share this data on other platforms publicly from time to time. Your use of such social media channels and features constitutes your agreement to Sysco’s use of any content you post or transmit through such features for Sysco’s editorial, advertising and publicity purposes, without compensation to you, except where prohibited by law.

We require all parties to whom we disclose personal data, to respect the security of your personal data and to treat it in accordance with this Privacy Notice and the law. We do not allow any party to whom we disclose personal data to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Sysco also shares, for Sysco’s own business purposes, personal data with companies who provide services such as information processing, banking/financial services, extending credit, fulfilling customer orders, delivering products, managing and enhancing customer data, providing customer service, assessing interest in our products and services, and conducting customer research or satisfaction surveys.

HOW WE SHARE PERSONAL DATA – CALIFORNIA
HOW WE SHARE PERSONAL DATA - ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS

Sysco does not “sell”, as defined under the CCPA/CPRA, personal data.

Sysco may “share” as defined under CPRA/CPRA, personal data. This means Sysco may share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, a consumer’s personal data by the business to a third party for cross-context behavioral advertising.

Please see the DATA SUBJECT RIGHTS FOR CALIFORNIA RESIDENTS section for further information about exercising your rights in relation to the sharing of your personal data.

HOW WE MARKET TO YOU

Sysco would like to keep you updated with offers and promotions that we think may interest you. We communicate with you via different channels, including post, email, telephone, SMS, automated calls and social media.

We may also share your contact details with our service providers, suppliers and other relevant business partners where we think their products or services may be of interest to you.

You may opt-out of any marketing communications by following the unsubscribe directions on postal communications, or the unsubscribe or opt-out links on electronic marketing communications or by advising the contact centre agent you are speaking with of your marketing preferences. You can also contact the Global Data Privacy Office via email at dataprivacy@sysco.com.

Sysco may offer promotions and competitions and sometimes this may be in conjunction with service providers, suppliers or other trusted business partners. If you choose to take up these promotions or enter these competitions, you will be advised at the time how your personal data will be used and shared depending on the promotion or competition.

Sysco carries out market research to better understand our customers, suppliers, employees, contractors, website visitors, social media users, and/or business partners’ behaviors, preferences, requirements and product or service experience. You may be asked to complete questionnaires or provide feedback via different channels, including post, email, telephone, SMS, automated calls and social media. Market research is not considered a marketing communication, however, should you wish to opt-out of receiving future market research invitations, please follow the directions of the communication you have received.

Please note, that where you unsubscribe or opt-out of receiving any marketing communications, we will still communicate with you for the purposes of fulfilling your order or managing your account. For example, keeping you updated about the status and delivery of the products you have ordered from us.

HOW WE PROTECT PERSONAL DATA

Sysco takes the security of your personal data seriously. We maintain technical and organizational measures to protect your personal data and have established policies and processes in place to manage any suspected personal data breach. We limit access to your personal data to those employees, contractors, service providers or other parties to whom we disclose, or make available your personal data to those who have a business need to know. We also practice data minimization and strive to collect no more personal data from you than is required by the purpose for which we collect it.

INTERNATIONAL PERSONAL DATA TRANSFERS

Sysco operates globally including in the United States, Canada, and countries within Europe, Central America, and the Caribbean. Sysco may transfer, process, or store your personal data within its group of companies and brands, or to service providers, suppliers and/or other business partners (or their service providers) for the purposes outlined in the PERSONAL DATA WE COLLECT AND WHY section to countries outside the country where your personal data was originally collected.

Sysco takes all reasonable steps to safeguard the protection and privacy of your personal data, which may include transferring to countries whose privacy laws ensure an appropriate level of protection for personal data, implementing standard contractual clauses, or other means of transferring personal data which ensure the transfer is lawful and the personal data is protected.

DATA SUBJECT RIGHTS FOR INDIVIDUALS IN THE UK & EEA

Under UK and EU data privacy laws, you have certain rights in relation to your personal data. If you are a UK or EU citizen, you may have the right to:

(a) Request access to the personal data that we hold about you;

(b) Correct any inaccurate personal data that we hold about you;

(c) Request we delete any personal data we hold about you, in certain circumstance;

(d) Request that we restrict the processing of the personal data that we hold about you;

(e) Object to the processing of the personal data we hold about you; and/or

(f) Request to receive any personal data we hold about you in a structured and commonly used machine-readable format or have such personal information transmitted to another company (data portability); and

(g) Request information about, or challenge any solely automated decision making and/or profiling we may carry out in relation to you.

You may also have the right to lodge a complaint with the relevant supervisory authority in our country of residence if you believe Sysco has not complied with local applicable data privacy laws.

If you, or your authorised representative, would like to exercise any of your rights, please contact the Global Data Privacy Office via email at dataprivacy@sysco.com.

DATA SUBJECT RIGHTS FOR CALIFORNIA RESIDENTS

The California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act 2020 (CPRA) grants California residents’ certain rights in relation to their personal data. If you are a California resident, you may have the following rights:

a) to access your personal data that we hold about you;

b) to delete any personal data collected from you;

c) to opt-out of the sale or sharing of personal data and know who it is shared with (if applicable);

d) to correct any inaccurate personal data that we hold about you;

e) to limit use and disclosure of any sensitive personal information;

f) to opt-out of any automated decision making or request further information about automated decision making; and

g) to request that your personal data is transferred to other businesses or organizations (data portability).

You may also have the right to lodge a complaint with the relevant California regulator if you believe Sysco has not complied with local applicable data privacy laws.

If you, or your authorised representative, would like to exercise any of your rights, please contact the Global Data Privacy Office via email at dataprivacy@sysco.com or via our toll-free number; 1-800-407-9726 / 800-40-SYSCO. Please note that Sysco may need to collect information from you so that we can verify your identity before responding to a request.

In relation to opting out to of the sale or sharing of your personal data (if applicable); you may also exercise your rights by following this link. In relation to limiting the use and disclosure of any sensitive personal data; you may also exercise your right by following this link:

OTHER DATA SUBJECT RIGHTS

In addition to the jurisdictions addressed above, other jurisdictions have specific legal requirements and grant specific data subject rights. Sysco will comply with any requests you submit as required by the applicable law.

When you make a request, we may require that you provide information and follow procedures so that we can verify a request you make (and determine the applicable law) before responding to it. The verification steps we take may differ depending on the applicable law and the nature of the request you make. Please submit your request to the Global Data Privacy Office via email at dataprivacy@sysco.com.

HOW LONG WE RETAIN PERSONAL DATA

We will hold your personal data in accordance with the principles of the relevant applicable, local laws for as long as reasonably necessary to fulfil the purposes for which it was collected. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.

We are obliged and permitted by law and regulation to retain certain types of data for a minimum period. The minimum period tends to be for seven years but can be longer if the statute or regulation requires.

HOW WE PROTECT THE PRIVACY OF CHILDREN ONLINE

Sysco does not directly target children under the age of 13 and does not knowingly collect personal data from children under the age of 13.

Please contact the Global Data Privacy Office if you have concerns regarding the potential collection of your child’s information.

OTHER NOTICE INFORMATION
LINKS TO OTHER SITES

This Privacy Notice does not apply to any other websites to which a link may be provided by Sysco or found on Sysco’s websites, applications, social media profiles or webchat. We cannot control and are not responsible for the actions of third parties operating such websites. You should not take the existence of an affiliation with, or a link from, Sysco’s websites applications, social media profiles or webchat to any other website to mean that it has a privacy notice of a similar standard. You should review the privacy notice of any third party you choose to interact with.

REVISION & REVOCATION

By interacting with Sysco in any of the ways outlined, you are agreeing to this Privacy Notice. This is our entire and exclusive Privacy Notice, and it supersedes any earlier version, provided that as to any given personal data we will abide by the terms of the Privacy Notice in effect when we collected that personal data, absent your consent.

This Privacy Notice shall be reviewed annually or more frequently as required by changes in legal, regulatory or Sysco requirements, or to correct identified deficiencies.

If we make any material changes, we will let you know via Sysco websites, email, or other relevant communication channels. We encourage you to periodically review this Privacy Notice to stay informed about how we collect, protect, use, store and disclose your personal data.

LOCAL POLICIES & PROCEDURES

Sysco operates in many countries, and it is Sysco’s intention to comply with all applicable legal requirements. Accordingly, if a provision of this Privacy Notice conflicts with applicable local legal requirements, Sysco may adopt regional or country-specific notices or policies on this subject to accommodate local conditions or legal requirements. You must comply with all applicable local laws, regulations, policies and procedures.

Executive Notice Owner:

Vice President, Legal, International & Deputy General

Notice Owner:

Senior Director, Global Data Privacy Officer

Prepared By:

Senior Director, Global Data Privacy Officer

Effective Date:

December 2022

Notice Location:

Global Data Privacy SharePoint & www.sysco.com

Version No:

V2

Reason for Revision:

Update to reflect new global privacy laws requirements

 

DEFINITIONS

Consumer - a natural person who is a resident of California as defined in Section 17014 of Title 18 of the California Code of Regulations.

Cross-context behavioral advertising - the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly- branded websites, applications, or services, other than the business, distinctly branded website, application, or service with which the consumer intentionally interacts.

Individual / Data Subject - the identified or identifiable living individual to whom personal data relates.

Personal Data - any information that relates to an identified or identifiable individual or consumer and includes information that can be reasonably linked to you.

The California Consumer Privacy Act 2018 (CCPA) - creates an array of consumer privacy rights and business obligations with regard to the collection and sale of California residents’ personal data / information. The CCPA went into effect January 1, 2020.

The California Privacy Rights Act (CPRA) - significantly amends and expands the CCPA, enhancing California residents’ privacy rights.

The General Data Protection Regulations (GDPR) 2018 – sets guidelines for the processing of personal data about individuals in the UK and EU. The GDPR provides individuals with more control over how their personal data is handled and disseminated by businesses and provide an array of data subject privacy rights.

SYSCO GLOBAL DATA PROCESSING ADDENDUM

An important update is available for your browser. Please install this critical update.

×