McKinsey.org Forward Privacy Notice

Last updated and effective: July 2025.

This McKinsey.org Forward Privacy Notice explains how McKinsey & Company, Inc. United States and its subsidiaries and affiliates process personal data that we obtain from your application, or access, to the McKinsey.org Forward Program Learners (“Forward Program” or “Forward”), as data controllers (the “Privacy Notice”). For the purposes of this Privacy Notice, personal data means information about an identified or identifiable individual (collectively, “personal data”), and does not include information that cannot be attributed to an identifiable individual, such as information of an anonymous nature (collectively, “anonymous data”).

McKinsey reserves the right to modify this Privacy Notice as required by changes to our business processes or applicable law. We will post any changes to our Privacy Notice on this page. Please check this page regularly to keep up-to-date.

Please note that the rules and regulations implementing various data privacy laws have not yet been finalized. We are continuously working to better comply with these laws, and we will update our processes, disclosures, and this notice as these rules and regulations are finalized.

You are not required to share your personal data with us, but failing to do so may result in McKinsey being unable to properly manage your participation in the Forward program.

If you are a California resident, please see our specific privacy information for you below.

By applying for the Forward Program or accessing Forward’s features or activities, you confirm that you have read and understand the terms of this Privacy Notice. If you do not understand or agree with any part of this Privacy Notice, please refrain from applying or using Forward’s features or activities and contact us for clarification before proceeding.

1. Data controller

“McKinsey” refers to the McKinsey & Company family of commonly owned affiliates. While our affiliates engage in a number of business activities and have different entity names, they all share the “McKinsey,” “a McKinsey company,” “by McKinsey,” or “acquired by McKinsey” branding or sub-logo, and they all follow, and are covered by, this Privacy Notice.

McKinsey collects and processes your personal data in relation to the Forward Program as a data controller (similar terms may be used under applicable law), which means that we determine and are responsible for how your personal data is collected, used, protected, disclosed, and disposed of.

Depending on the jurisdiction you are located in or the location from which you participate in the Forward Program, the local McKinsey entity may be your main data controller.

2. How do we collect your personal data?

McKinsey collects personal data in the course of the Forward Program, directly from you and sometimes from third parties:

• McKinsey collects personal data about you in relation to the Forward Program:
  • When you complete the application form to apply for the Forward Program and during the Forward Program;
  • When you interact with McKinsey for the completion of the Forward Program;
  • When you participate in a survey conducted by McKinsey in relation to your participation in the Forward Program;
  • When you interact with any of our websites related to the Forward Program, including when you manage your cookie preferences, as described in our Cookie Notice.
• McKinsey may also receive personal data about you from third parties, including service providers and data vendors to manage your participation in the Forward Program. When we collect personal information from third parties, the data consists primarily of publicly available personal information compiled from business websites, and other widely used public sources for verification purposes to analyze your eligibility. In each instance, we do our best to confirm that the third party has lawfully collected the data from appropriate sources and is authorized to share the data with McKinsey for the uses intended by McKinsey in accordance with section three below.

Sensitive personal data – We may also collect sensitive personal data directly from you, for instance when you respond to a survey conducted by McKinsey in relation to your participation in the Forward Program and provide us with demographic or other personal data, but in any case, only when necessary. We use sensitive personal data only with your consent unless another legal basis exists (e.g., public health requirements). When we collect and use sensitive personal data for research, data analysis, and statistical purposes, we use our best efforts to collect it on an anonymous basis, and use it to produce reports and publications based on deidentified datasets, in line with this Privacy Notice and the survey notice that will be provided to you along with the survey to collect the information.

3. Purposes. Why and how are we using your personal data?

McKinsey collects, stores, processes, and shares your personal data to provide access to, and manage your application with, the Forward Program. During the Forward Program, McKinsey uses your personal data for different purposes and may combine data from multiple sources to accomplish those purposes. The table below summarizes the purposes for which we process your personal data, the categories of personal data that we use for each purpose, and the legal grounds on which each data processing activity is based, along with the recipients of the personal data:

Purpose	Categories of personal data	Legal basis	Data access
Eligibility: To analyze your eligibility to participate in this Forward Program	Name, email address, country of residence, nationality, date of birth	The execution of your request and express consent to participate in the Forward Program	McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice
Manage your participation: To create an account for you in the Forward Program and manage your participation and provide you with all the services this Forward Program entails	Name, email address, country of residence, nationality, date of birth, your progress in the Forward Program and any difficulties you encounter along the way	The execution of your request and express consent to participate in the Forward Program	McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice
Certification and creation of badges: To issue your certification or badge	Name, email address, your progress in the Forward Program	The execution of your request and express consent to participate in the Forward Program	McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice
Networking groups: To add you to networking groups or lists, including LinkedIn	Name and public information published in those groups	Your consent	LinkedIn
Analytics: Aggregate, deidentify, or anonymize your personal data so that, depending on and in compliance with applicable law, your data is no longer considered as personal data, to analyze and improve Forward and its diversity and inclusion, including statistics, progress rate, satisfactions scores, session recordings, and research to improve the Forward Program or their impact. In certain jurisdictions, when you access the Forward Program with a referral code, the purposes of these analytics may include tracking the number of participants and graduates	Country of residence, nationality, date and place of birth, level of education, employment status, family income level, family education level and first generation	Our legitimate interest and your consent to participate in the voluntary surveys where we collect this data	McKinsey maintains deidentified personal data in deidentified form and does not use or permit others to use deidentified data in any way that would identify or reidentify individuals in the data set
Communications: Where you have expressly given your consent, to send you commercial communications related to the Forward Program and other McKinsey initiatives in relation to your interests. You can opt out of those communications at any time by clicking on the link in an email you have received from us; or emailing us at Global_Unsubscribes@mckinsey.com	Name, email address.	Your consent	McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice.
Legal compliance and legal actions: Comply with all applicable regulations, exercise legal actions and legal defense at courts, prevent fraud, this Forward Privacy Notice and the terms of use of the Forward Program, as well as complying with corporate reporting obligations, such as using aggregated data for ESG reports.	Data will depend upon specific legal requirements.	Compliance with all applicable laws and regulations	McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice.

Whenever the legal ground is our legitimate interest, McKinsey only processes your personal data after assessing the adequacy, proportionality, and legitimacy of the data-processing activity.

If consent is the legal basis for processing and you have subsequently withdrawn it, we may not be able to properly provide you with our full range of services and good user experience.

McKinsey does not use automated decision making to make decisions that have a legal impact on you or that significantly affect your rights and liberties. All automated processing activities are conducted with appropriate human supervision and review.

McKinsey’s use of cookies and other tracking technologies. McKinsey may use first- and third-party cookies, pixel tags, web beacons, and other similar technologies to gather information on our digital properties. This information is used for a variety of purposes, such as to manage our websites related to the Forward Program, collect analytics about how you use our websites and the Forward Program, or to provide targeted advertisements on our websites, or on third-party websites, that may be of interest to you. The use of these technologies and tools for advertising may be considered a “share” and/or “targeted advertising” under certain US state laws. McKinsey may also collect information about whether you open or click any links related to the Forward Program and where you found those links. You have options regarding our use of cookies and other tracking technologies. Please refer to our Cookie Notice and “Your data protection rights” section below for more details and to manage your choices. There is no industry standard for how Do Not Track browser settings should work on commercial websites and therefore, due to the lack of such standards, our websites do not currently change the way they operate upon detection of a Do Not Track setting.

In addition, we use tools and applications that reduce security threats and reduce the risk of access by bots and automated devices, but we do not use those tools and applications for non-security purposes.

4. What do we not do when we collect and process your personal data?

We do not use personal data for the purpose of profiling that produces significant effects

We do not acquire, use, or allow others to use anonymous data with the intent of identifying or reidentifying individuals. When we receive anonymous data or transform personal data that we have collected into anonymous data, we make the following commitments:

• McKinsey will maintain anonymous data in anonymized form.
• Except to the extent necessary to confirm that personal data has been transformed into anonymous data, McKinsey will not attempt to identify or reidentify specific individuals within an anonymized dataset or otherwise use anonymous data to attempt to associate specific individuals with individual characteristics and will not permit any entity or individual acting on McKinsey’s behalf to do so.
• To the extent, if any, that McKinsey provides access to or otherwise discloses an anonymized dataset to a non-McKinsey recipient, for example, a service provider or a client, it will require each such recipient to agree to maintain the anonymous data in its anonymized form and not attempt, or permit others to attempt, to identify or reidentify specific individuals within the anonymized dataset or otherwise use anonymous data to attempt to associate specific individuals with individual characteristics.

5. Data recipients and international data transfers. Who has access to your personal data?

We do not sell personal data to third parties for monetary or other valuable consideration, but we may share your personal data with third parties for targeted advertising and cross-context behavioral advertising.

Personal data collected in the course of the Forward Program may be transferred and made available to other McKinsey entities, service providers, and third parties as necessary to accomplish the specific business purposes for which the personal data were collected and to support our interactions with you, and otherwise as required to comply with applicable law. McKinsey may provide access to and transfer your data to the following categories of data recipients, for the business purposes described in section three, above:

• To McKinsey’s subsidiaries and affiliates and personnel across our global organization;
• To McKinsey’s service providers and personnel.
• In certain jurisdictions where you use a referral code to access the Forward Program, to non-profits organizations with whom McKinsey has partnered to provide you with the Forward Program, for the purposes of tracking of the number of participants and graduates.
• To McKinsey’s legal and professional advisors;
• To McKinsey’s advertising vendors and partners that support our marketing efforts, including for purposes of behavioral and targeted advertising;
• To third parties in the following circumstances:
  • If we are required to do so by law or legal process;
  • Where permitted under applicable laws, to law enforcement authorities or other government officials pursuant to lawful request;
  • When we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity;
  • If disclosure is necessary to protect the vital interests of a person;
  • To enforce the terms of use of the Forward Program;
  • To protect our property, services, and legal rights;
  • To prevent fraud against McKinsey, our subsidiaries, affiliates and/or business partners;
  • To aid McKinsey’s investigation of an actual or suspected security incident, such as a breach involving confidential information or personal information or a violation of McKinsey policy;
  • To support auditing, compliance, and corporate governance functions;
  • To comply with any and all applicable laws.
• To a successor or different business entity in the event of a reorganization, merger, sale, joint venture, assignment, or other transfer or disposition of all or any portion of our business, provided the relevant requirements under applicable laws are complied with.

Since McKinsey is a global organization, the affiliates and service providers to which we transfer your personal data connected to your participation in the Forward Program may be located in countries which may have different data protection laws than those in your country of residence. To protect personal data that is transferred internationally, McKinsey complies with all applicable data transfer laws and will implement safeguards to protect your personal data across McKinsey’s global operations. Where required by law, McKinsey has put in place legal mechanisms, which include EU’s Standard Contractual Clauses, that are designed to ensure appropriate data protection of your personal data that is processed by McKinsey subsidiaries, affiliates, and third-party service providers.

6. Security

McKinsey protects and safeguards your personal data globally, in accordance with applicable law, our privacy and data security policies, and this Forward Privacy Notice. We use generally accepted standards of technical and operational security to protect your personal data against accidental or unlawful loss, misuse, alteration, or destruction, in consideration of the risks associated with the personal data and its processing, and we require the same level of protection and safeguarding from our subsidiaries and affiliates, our service providers, and third parties. Only authorized personnel of McKinsey and of our service providers are permitted to access personal data, and these employees and service providers are required to treat this information as confidential. Despite these precautions however, McKinsey cannot guarantee that unauthorized individuals will not obtain access to your personal data.

7. Data retention. How long do we keep your personal data?

McKinsey keeps your personal data only as long as necessary for the completion of the Forward Program and the purposes herein indicated and to comply with our legal, regulatory and contractual obligations, in compliance with McKinsey’s data-retention policy. We will securely delete, destroy or otherwise render your personal data unidentifiable promptly after the purposes described above cease to apply in accordance with the prevailing market practice for such destruction.

If you request that we delete your personal data, McKinsey will comply with applicable law and will make reasonable attempts to delete all instances of the personal data. For requests for access, corrections, or deletion, especially where the processing is based on your consent, please refer to section nine of this Privacy Notice.

8. Individuals above the age of 18

The Forward Program is only provided to individuals above the age of 18. McKinsey does not intentionally use the Forward Program to collect or maintain personal data from individuals under the age of 18. Individuals under the age of 18 should not attempt to provide us with any personal data. If you think we have received personal data from those under the age of 18, please contact us immediately.

9. Data privacy rights. What are your data protection rights and how can you exercise them?

9.1. Your data protection rights

Subject to the local data privacy laws in your jurisdiction, including exceptions, you may have the following rights with regard to the personal data that we collect about you:

• Right to request information about the personal data that we hold about you, including information about how we use your personal data, who has access to it, and the terms under which third parties have access to your personal data;
• Right to request a copy of the personal data that we hold about you;
• Right to request portability of your data to permit you to provide a copy of your personal data in a structured, commonly used, and machine-readable format and to transmit that personal data to another controller;
• Right to request that we correct or otherwise amend your personal data if it is not correct or otherwise not complete, timely, and accurate for the purposes for which we are using it;
• Right to request deletion of your personal data;
• Right to request that we cease processing or restrict or limit the processing of your personal data;
• Right to withdraw your consent to our processing of your personal data where the basis of our processing is your consent;
• Right to opt out of the processing of your personal data for targeted advertising/sharing of your personal data for purposes of cross-context behavioral advertising;
• Right to not be discriminated against for exercising your individual rights regarding your personal data;
• Right to request review by McKinsey’s Global Protection Officer and, if applicable, McKinsey’s data protection officer for your jurisdiction, of our response to your request to exercise your individual data protection rights; and
• Right to seek additional legal remedies regarding our response to your request to exercise your individual data-protection rights, depending upon your jurisdiction, by lodging a complaint with your data-protection authority or initiating a legal proceeding.

9.2. How do you exercise your data protection rights?

You can contact the Data Protection Officer for your jurisdiction at privacy@mckinsey.com.

If you would like to exercise your data protection rights regarding your personal data, you can do so by:

• Completing the data-subject request form.
• Emailing your request to us at: DataSubjectRights@mckinsey.com
• For requests from US residents, call us at +1 (844) 582-3015
• To unsubscribe to our communications, you can click on the link in an email you have received from us; or email us at Global_Unsubscribes@mckinsey.com.

Upon receipt of your request to exercise your data-protection rights, we will acknowledge receipt within the time period required by applicable law and provide you with information about the next steps in the process and the timing. Depending upon the nature of your request, we may take reasonable steps to verify your identity before acting on certain data protection rights, in accordance with applicable law. This process may require us to request additional personal data from you, including, but not limited to, your email address, mailing address, and/or date of last interaction with us. In certain circumstances, we may decline a request to exercise a privacy right, particularly where we are unable to verify your identity.

You may designate an authorized agent to submit a request on your behalf. To designate an authorized agent, you must either (1) provide the authorized agent with a power of attorney that shall accompany the initial request; or (2) provide the authorized agent with any other written documentation of their authority to act on your behalf, provided that it sufficient evidences that you have provided the authorized agent signed permission to act on your behalf, and verify your own identity directly with us. We may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf until they provide such evidence.

Please note that applicable laws include exceptions to assertions of data protection rights that may prevent us from providing access to your personal data or otherwise fully complying with your request. If we believe exceptions apply, we will respond to your request to the extent we are able to do so, and we will provide an explanation of the basis for not complying wholly or partially with your request.

For further details, especially if you are using any additional services, features, or applications of McKinsey, including our mckinsey.com website, please find further information how we are using and protecting your personal data in the McKinsey Privacy Notice.

10. Contact Us

If you have questions, concerns, or feedback, you can always contact us using the information below. For your protection, we may need to verify your identity before assisting with your questions, comments, or feedback.

• Email: Privacy@mckinsey.com
• Phone: +1 (844) 582-3015
• Mail:
  McKinsey & Company
  Attn: Privacy
  1200 19th St NW STE 1000
  Washington, DC 20036

 

 

 

 

Your California Privacy Rights Appendix

This appendix seeks to provide additional information to residents of California and supplements the information provided in the Privacy Notice.

As disclosed above, we do not “sell” personal data as that term is defined under California privacy law, but we may share personal data with third parties for cross-context behavioral advertising. However, we do not share personal data with third parties for their own direct marketing purposes without your consent. We do not purposefully “sell” or “share” the personal data of individuals under the age of 16. California residents under 18 years old, in certain circumstances, may request and obtain removal of personal data or content that you have posted on our Sites. Please be mindful that this would not ensure complete removal of the content posted by you on our Sites.

To learn more about the categories of personal data we collect, how we collect it, why it is collected, with whom we share it, and how long we retain it, please see the items below. Please see the instructions provided above in order to submit a privacy right request.