Privacy Policy

PURPOSE

This Privacy Policy (this “Privacy Policy”) explains how we collect, protect, use, and disclose the personal information (defined below) when you use our website located at www.sysco.com or any other website we operate, including without limitation those websites, applications, web pages or applicable interactions such as our contact centers through which our customers, suppliers, associates, contractors and business partners may complete transactions, conduct other business and manage their accounts (collectively the “Sites”). We understand that you care about how your personal information is used and shared, and we take your privacy seriously. Please read the following to learn more about this Privacy Policy.

WHO WE ARE (Web information)

Sysco and affiliated companies operate at more than 320 distribution facilities worldwide and serves more than 650,000 customers. For a list of our companies and locations please click here: https://sysco.com/Contact/Contact/Our-Locations.html

SCOPE

This Policy is an enterprise-wide policy and shall apply to Sysco and Sysco subsidiaries owned and managed websites and applications.

POLICY STATEMENT

Compliance to privacy and data protection regulations such as the General Data Protection Regulations (GDPR) or the California Consumer Privacy Act (CCPA) requires Sysco to explain how we collect, protect, use and disclose Personal Information (defined below, refer to Definitions Section) when visitors use our Sites and applications.

PROCEDURES

HOW SYSCO COLLECTS PERSONAL INFORMATION

Sysco may collect personal information from its customers, suppliers and other Site users in several ways:

1. Sysco may gather account information through the Sites;

2. Sysco may gather customer information through the Sites;

3. Sysco may maintain historical account information of its customers and suppliers;

4. Sysco may gather information about individual guarantors;

5. Sysco may gather information from the Sites by cookies and similar Internet monitoring technologies; and

6. Sysco may in some instances gather information from third parties, for example, when a customer completes a purchase with Sysco through a third-party website.

WHAT PERSONAL INFORMATION SYSCO COLLECTS

The categories of personal information we may collect through the Sites, use, and disclose for a business purpose as described below are as follows:

• Personal identifiers for employment applications or business credit applications, such as a real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, national insurance number, passport number, or other similar identifiers;

• Personal identifiers for processing transactions, such as name, email address, shipping address, phone number, payment card information, and information about transactions including purchase information and pick-up times and locations;

• Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;

• Internet or other electronic network activity information, including browsing history, search history, and information regarding a California resident’s interaction with an internet web site, application, or advertisement;

• Geolocation data;

• Audio, electronic, visual or similar information;

• Professional or employment-related information; and

• Education information for employment purposes

USE OF COOKIES AND SIMILAR TECHNOLOGIES

Cookies are small text files stored by your browser in your computer when you visit our Sites. We and outside companies, such as advertising networks, social media widgets, and analytics providers, use cookies and similar technologies (e.g., web beacons and web server logs) to provide and improve the Sites and our emails and make them easier to use. The information collected in this manner includes IP address, browser characteristics, device IDs and characteristics, operating system version, language preferences, referring URLs, pages visited, and other information about the usage of our Sites or emails. The technology permits us to recognize users and avoid repetitive requests for the same information. The technology also assists us in identifying the types of browsers and operating systems used most by our customers, and how visitors move through the Sites. All this information enables us to improve the Sites and emails and tailor them to our customers’ needs and preferences. We may also use this technology to track user trends and patterns in order to better understand and improve areas of our Sites that our users find valuable.

We also reserve the right to use outside companies to display ads on our Sites. These ads may contain cookies. Cookies received with banner ads are collected by such outside companies, and we do not have access to this information. These outside companies also may collect and combine information collected on our Sites and emails with other information about your online activities over time, on other devices, and on other websites or apps, if those websites and apps also use the same partners.

We currently use Google Analytics to collect and process certain Site usage data. To learn more about Google Analytics and how to opt out, please visit https://policies.google.com/technologies/partner-sites. You may be able to change browser settings to block and delete cookies when you access our Sites through a web browser. However, if you do that, our Sites may not work properly. Our Sites do not respond to browser do-not-track signals.

You may be able to opt out of receiving personalized advertisements on this browser or device from advertisers, or other advertising networks who are members of the Network Advertising Initiative or who subscribe to the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising by visiting the opt-out options of each of those organizations. Links to those websites are as follows:

Network Advertising Initiative: http://www.networkadvertising.org/choices/

Digital Advertising Alliance: http://www.aboutads.info/choices/

When you opt out of personalized advertising, you may continue to see online advertising on the Sites and/or our ads on other websites and online services.

HOW SYSCO USES PERSONAL INFORMATION

1. To establish, conduct, maintain and conclude business arrangements.

2. To evaluate and engage with prospective and current customers, suppliers and other business partners.

3. To evaluate and engage with prospective employees.

4. To process transactions with customers and suppliers and to improve its business processes.

5. To fulfill orders placed by customers, to order goods from suppliers, to respond to the requests of users of the Sites, and generally to enrich the usefulness of the Sites.

6. For identifiable and aggregate basis, in various analyses intended to help Sysco understand its customers and suppliers better.

7. Aggregated reports – Sysco may combine personal information with other information to create aggregate or summary reports and may provide aggregate data to other parties for marketing, advertising, and other purposes.

If Sysco provides information to other parties in aggregate form, such data will not include any specifically identifiable personal information concerning specific customers, suppliers or individuals unless authorized to do so.

DISCLOSURE OF PERSONAL INFORMATION

Sysco may provide third parties with personal information for our business purposes to provide or improve our products and services, including to deliver products at your request, or to help Sysco market to consumers. When we do, Sysco requires those third parties to handle it in accordance with relevant laws and in a manner that is consistent with this Privacy Policy. Sysco also shares, for Sysco’s own business purposes, personal information with companies who provide services such as information processing, associate benefits processing and services, banking/financial services, extending credit, fulfilling customer orders, delivering products, managing and enhancing customer data, providing customer service, assessing interest in our products and services, and conducting customer research or satisfaction surveys. These companies are obligated to protect your information, are not permitted to use personal information other than for purposes of providing services to us and may be located wherever Sysco operates.

Personal information is used to complete and support your use of the Sites and the services provided thereon and to comply with any requirements of law. Sysco may share personal information with third parties as described below:

1. Sysco may disclose personal information as required by law and for the protection of Sysco and others.

2. Sysco may disclose personal information, subject to confidentiality restrictions, as part of a contemplated or actual corporate transaction, financing, or sale of the assets of a relevant business unit.

3. Sysco allows other users of the Sites to browse comments, questions or other entries that you have submitted or commented on in one or more forums, message boards, product ratings, feedback portals or other interactive or social aspects that Sysco may include on the Sites from time to time. Note that any such disclosures may be publicly available to any visitor to the Sites, and, in addition, Sysco may choose to post this data on other platforms publicly in the future. Your use of such social features constitutes your consent and agreement to Sysco’s use of any content you post or transmit through such features for Sysco’s editorial, advertising and publicity purposes, without compensation to you, except where prohibited by law.

PROTECTING YOUR PERSONAL INFORMATION

Sysco takes the security of your personal information seriously. We strive to process your information securely, in accordance with this Privacy Policy, and in accordance with information security requirements imposed by applicable law. We cannot, however, be responsible for Internet communications that are inherently not completely secure.

INTERNATIONAL TRANSFERS

Personal information collected on the Sites may be stored and processed in the United States or any other country in which Sysco or its affiliates, subsidiaries, agents, or third-party service providers maintain facilities and/or infrastructure, and by using the Sites, you acknowledge that such transfers of information outside of your country to the extent permissible under applicable law occur.

ADDITIONAL INFORMATION FOR INDIVIDUALS IN THE EEA

Lawful Basis for Using Personal Information

We use the personal information you provide to us (either orally, in writing, through your use of our website, or as a result of our dealings with you) and any data we obtain from third parties to provide the service requested by you.

We recognise that we have a legitimate interest in processing the personal data we collect about you for a number of reasons, including, but not limited to: marketing purposes, to enable us to enhance, modify, personalise, or otherwise improve our services, identify and prevent fraud, enhance and protect the security of our network and systems, and market research. “Legitimate interests” means the interests of our business in conducting and managing our business to enable us to give you the best service and most secure experience.

When we use your information for our legitimate interests, we make sure to consider and balance any potential impact on you and your data protection rights. Where applicable, legitimate interest assessments are conducted to ensure that these rights are protected.

Privacy Rights

You may inform us of any changes in your personal information, and in accordance with our obligations under applicable data protection laws we will update or delete your personal information accordingly.

You may have the right to: request (a) access to your personal information we hold about you; (b) request we correct an inaccurate persona information we hold about you; (c) request we delete any personal information we hold about you; (d) restrict the processing of personal information we hold about you; (e)object to the processing of personal information we hold about you; and/or (f) receive any personal information we hold about you in a structured and commonly used machine-readable format or have such personal information transmitted to another company. If you would like to exercise any of your rights, please contact dataprotection@sysco.com.

Retention or Your Personal Information

We will hold your personal information in accordance with the principles of the GDPR (and associated legislation) and for as long as reasonably necessary to fulfil the purposes for which it was collected. We may obtain your data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you. We are obliged and permitted by law and regulation to retain certain types of data for a minimum period. The minimum period tends to be for six years but can be longer if the statute or regulation requires

ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS

The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1, 2020. The CCPA grants certain California residents five new rights respecting their personal information. If you are a California resident, you may have the following rights:

1. The right to request more information about Sysco’s data collection and sales practices in connection with your personal information, including the categories of personal information Sysco has collected, the source of the information, Sysco’s use of the information and, if the information was disclosed or sold to third parties, the categories of personal information disclosed or sold to third parties and the categories of third parties to whom such information was disclosed or sold;

2. The right to request a copy of the specific personal information collected about you during the 12 months before your request (together with right #1, a “personal information request”). You may only make a personal information request twice in a 12-month period, and Sysco will respond within 45 days of receiving a personal information request;

3. The right to request that personal information be deleted (with exceptions);

4. The right to request that your personal information not be sold to third parties, if applicable; and

5. The right not to be discriminated against because you exercise any of the new rights.

Sysco does not rent, sell, or share personal information (as defined by California Civil Code §1798.83) about you that we collect on the Site with other people or unaffiliated companies for their direct marketing purposes, unless we have your permission, and Sysco has not “sold” (as that term is defined in the CCPA) your personal information in the last 12 months

Note that, in connection with the exercise of the above rights, Sysco may need to collect information from you so that Sysco can verify your identity.

You may exercise these rights by contacting us. Please go to REPORTING & INVESTIGATIONS for additional information.

PROTECTING THE PRIVACY OF CHILDREN ONLINE

Sysco’s Sites are not directed to children under the age of 13 and do not knowingly collect personal information from children under the age of 13.

Please use the Contact Us email below if you have concerns regarding the potential collection of your child’s information.

OTHER PRIVACY RIGHTS

In addition to the jurisdictions addressed above, other jurisdictions have specific legal requirements and grant specific privacy rights, and we will comply with restrictions and any requests you submit as required by the applicable law. For example, you may have the right to review, correct, and delete personal information we have about you, or to consent or withdraw consent to certain uses or sharing of personal information. If you would like to request access to personal information that we maintain, or to request that we update, correct, or delete your personal information, please go to Reporting and Investigations for additional contact information. When you make a request, we may require that you provide information and follow procedures so that we can verify a request you make (and determine the applicable law) before responding to it. The verification steps we take may differ depending on the applicable law and the request you make.

LINKS TO OTHER SITES

You should be aware that this Privacy Policy only applies to Sysco Sites and applications. Importantly, it does not apply to any other websites to which a link may be provided on the Sites. We cannot control and are not responsible for the actions of third parties operating such sites. You should not take the existence of an affiliation with, or a link from, the Sites to any other website to mean that it has a privacy policy like this one. You should review the privacy policy of any such website.

REPORTING & INVESTIGATIONS

US AND NON-EEA REQUEST

If you believe that Sysco has not adhered to this Privacy Policy, or if you feel that you need to correct information about you held by Sysco, please contact Sysco by email at privacy@corp.sysco.com or by postal mail at Sysco Corporation-Compliance, 1390 Enclave Parkway, Houston, TX 77077.

Additionally, individual privacy right request can be made by visiting our web page at www.sysco.com or leave a message on our toll-free number at (855) 41-SYSCO.

EEA

To exercise any of your rights in connection with your personal information, please contact dataprotection@sysco.com. We will process any request in line with applicable local laws. You additionally have the right to lodge a complaint about how we process your personal information with the supervisor authority in your country.

Associates may immediately report any known or suspected violations of this Policy. To do so, you shall contact your direct supervisor or another member of management, your Human Resources Business partner, or the Ethics Line, a confidential toll-free third party-operated telephone service at 877-777-4020. You may also submit a report via the Ethics Line website: http://ethicsline.sysco.com a confidential web-based online reporting vehicle. Anyone reporting a suspected or actual violation of this Policy in good faith shall be protected from retaliation under Sysco’s Code of Conduct. You must cooperate with all investigations of alleged Policy violations.

DISCIPLINE & OTHER CONSEQUENCES

Employees who violate this Policy shall be subject to appropriate disciplinary action or other remedial measures up to and including termination of employment if warranted under the circumstances and permissible under applicable law.

WAIVERS

The provisions of this Policy shall not be waived. Sysco management does not have the authority to approve waivers to this Policy or any legal/regulatory requirement.

REVISION & REVOCATION

By using any of the Sites, you agree to this Privacy Policy. This is our entire and exclusive Privacy Policy and it supersedes any earlier version, provided that as to any given personal information we will abide by the terms of the Privacy Policy in effect when we collected that personal information, absent your express consent. We may change this Privacy Policy at any time by posting a new version of this Privacy Policy on the Sites. If we make any material changes, we will let you know through the Sites, by email, or other communication. We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting the personal information we collect.

LOCAL POLICIES & PROCEDURES

Sysco operates in many countries, and it is Sysco’s intention to comply with all applicable legal requirements. Accordingly, if a provision of this Policy conflicts with applicable local legal requirements, Sysco may adopt regional or country-specific policies on this subject to accommodate local conditions or legal requirements; You must comply with all applicable local laws, regulations, policies and procedures

REFERENCES

The General Data Protection Regulations (GDPR) 2018 – regulation in EU on data protection and privacy for all individual citizen of the European Union and the European Economic Area. It also addresses the transfer of personal data outside of the EU and EEA areas.

California Consumer Privacy Act (CCPA) 2020 – A bill that enhances privacy rights and consumer protection for resident of California, USA

DEFINITIONS

Personal Information: Personal information is generally data that relates to a single identifiable person. You may be asked to provide your personal information when you are in contact with Sysco or a Sysco affiliated company and when you interact with Sysco’s Sites. Sysco and its affiliates may share this personal information and use it consistent with this Privacy Policy. Sysco may also combine it with other information to provide and improve our products, services, content, and advertising. You are not required to provide the personal information that we have requested, but, if you chose not to do so, in many cases we will not be able to provide you with our products or services or respond to any queries you may have.

Business Customer: An entity who has entered into a prime contract with Sysco or a subsidiary to provide business services and/or product.

EEA: European Economic Area

Associate: Person who is employed by Sysco or a subsidiary -otherwise identified as an employee.

POLICY REVIEW AND REVISION

This policy shall be reviewed annually or more frequently as required by changes in legal, regulatory or Sysco requirements, or to correct identified deficiencies. This policy supersedes all previous versions.

OTHER POLICY REQUIREMENTS

This policy shall be maintained and connected to all Sysco owned websites through placement on Sysco.com.