Mastercard Applicant Privacy Notice

For the purpose of this Notice, “Personal Information” means any information relating to an identified or identifiable individual. In connection with your application for employment and potential onboarding, we obtain Personal Information relating to You from various sources described below.

“Processing” means any operation or set of operations performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing will be carried out on paper and by electronic means.

Where applicable during the recruitment process/pre-employment/onboarding process, we will indicate whether and why You must provide us with your Personal Information, as well as the consequences of failing to do so. If You do not provide Personal Information when requested, we may not be able to assess your suitability for employment and continue the recruitment/ pre-employment/onboarding process.

We may collect the following Personal Information:

• Identification details (e.g., first name, last name);
• Contact information (e.g., email address, phone number, address, city, state, zip code, country);
• Gender;
• Business or government relationships that may lead to conflicts of interest;
• Curriculum vitae/resume;
• Employment history;
• Education history;
• Skills inventory (including by way of skills assessments You may take part in, as permitted by applicable law, as part of any application process);
• LinkedIn Profile URL, the publicly available sections of your LinkedIn profile URL, if you provide it to us, and other professional websites you provide to us;
• Immigration status and work permits;
• Demographic information and/or protected classifications (as required by applicable law);
• Desired salary (if applicable);
• Salary history (to the extent permitted by applicable local laws);
• Results of any pre-employment testing (such as psychometric testing, credit history checks and other screening, subject to strict conditions, as permitted under applicable law, and, for Individuals in the EEA, as described in the Screening Privacy Notice);
• Video/photo images or audio recordings (e.g., via virtual interviews and/or CCTV footage (where applicable));
• Calendar availability;
• Results of the selection process;
• Online identifiers and website, device and mobile app usage, and similar information collected via automated means, such as cookies and similar technologies; and
• Any other information you choose to share, such as information included in your CV/resume and/or shared with us during the interview process.

Generally, Mastercard will only Process Sensitive Personal Information as defined by applicable law (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions and offences or related security measures, genetic data, health-related data, sexual orientation, or biometric data for the purpose of uniquely identifying a person) during the recruitment/pre-employment/onboarding process to the minimum extent required and as permitted by applicable law. For any Sensitive Personal Information we process, we implement appropriate security measures based on the risk level of such information to prevent unauthorized access to and public disclosure, use, modification, destruction, leakage, or loss of Personal Information.

We may carry out psychometric testing and credit history checks only to the extent that they are necessary to assess your eligibility for the position and always only to the extent permitted by applicable law. For instance, we may carry out psychometric testing through duly qualified persons to assess eligibility for sales roles or roles handling highly confidential information of our customers. We may carry out credit history checks in very limited circumstances and always only to the extent permitted by applicable law for finance roles or roles handling highly confidential information of our customers.

The Company requests Personal Information directly from You and indirectly from third parties, such as former employers, educational institutions, online recruitment platforms, professional recruitment agencies, government agencies and credit reporting agencies. Where required by law, we will obtain your consent prior to requesting Personal Information from these third parties. We may request Personal Information from such third parties in connection with:

• Your application, references, and background checks (including criminal checks, checks against foreign or local sanctions lists, and checks to ensure compliance with applicable legislation on export controls, anti-money laundering and terrorism financing); and
• Other purposes as appropriate or permitted by law.

We use personal Information we obtain about you for the purposes set out below. Depending on the country in which you are located, we will only process your Personal Information when we have a legal basis for the processing as identified in the table below. However, please note that even though the chart below does not list consent as a legal basis for each processing activity, in some countries or regions (e.g., mainland China) consent is the only or most appropriate legal basis for the processing of Personal Information, and in those countries, we rely on consent for all or most of processing activities.

Specifically, in the European Economic Area, the United Kingdom and Switzerland (together, “Europe” or the “EEA”), Mastercard will only Process Your Sensitive Personal Information when:

• The Processing is required or permitted by law;
• The Processing is necessary for reasons of substantial public interest;
• The data have manifestly been made available to the Company by You; or
• The Company has obtained your explicit consent where relying on consent is permitted or appropriate under applicable law.

Where required under applicable law, we have carried out balancing tests for the data processing based on our or a third party’s legitimate interests to ensure that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms. For more information on our balancing tests, you may contact us as described in the “How to Contact Us” section below.

Where we seek to review and implement measures to improve our recruitment activities and ensure compliance with our policies such as equal opportunities, we use anonymized and aggregated data.

Eligibility Criteria and Use of Automated Employment Tools

In some countries and for certain roles, You may be asked to provide Personal Information in response to certain standard questions (such as right to work information), as well as some that are specific to the position for which You are applying (such as certain qualifications or licenses) which are required as minimum qualification to be eligible for consideration. If You do not respond or your responses to these questions indicate that You do not meet minimum standards, this may impact consideration of You for the role.

In certain cases, such as when looking to fill a job opportunity, we may process Your Personal Information with assistance from automated employment tools. However, all decisions with regards to the use of automated employment tools also include the use of human review and/or intervention.

We do not sell your Personal Information, share or otherwise disclose Personal Information we collect about You, except as described in this Notice or otherwise disclosed to You at the time the information is collected.

We may share your Personal Information we collect with:

• Companies within the Mastercard group, including Mastercard International Incorporated’s subsidiaries and affiliates globally to the extent that they are involved in the recruitment and/or hiring process;
• Members of our internal departments to the extent that they are involved in the recruitment and/or hiring process. Company staff accessing Personal Information are required to maintain its confidentiality and to Process such information in accordance with applicable law;
• Third parties to the extent necessary for the recruitment and/or hiring process (e.g., HR hosting services, candidate relationship management services, recruitment agencies and background screening agencies). The Company enters into contractual obligations on its third-party service providers to provide appropriate protection for Personal Information.

For more information on service providers, please contact us as described in the "How to Contact Us" section below.

We also may share Personal Information with our service providers who perform services on our behalf and in relation to the purposes described in this Notice:

• With the consent or authorization of the Individual;
• In the context of a sale or transfer involving all or a portion of the Company’s business or assets (including in the event of a reorganization, dissolution or liquidation);
• In response to requests by government agencies, such as law enforcement agencies;
• To protect the rights and properties of the Company;
• If required to do so by law, regulation or legal process (such as a court order or subpoena);
• When we believe disclosure is necessary or appropriate to prevent physical harm to Mastercard employees or financial loss;
• As part of an investigation of suspected illegal activity.

The Company enters into contractual obligations with its third-party service providers to provide appropriate protection for Personal Information. For more information on service providers, please contact us as described in the “How to Contact Us" section below.

Depending on the country in which you are located, You may have the following rights:

• Right of access: You have the right to access your Personal Information and request a copy of it. The Company may choose to limit access to Personal Information where: the disclosure would violate the rights of other Individuals; it relates to an ongoing investigation of wrongdoing and disclosure could compromise the investigation; or the Company is otherwise authorized to limit or deny such access under applicable law.
• Right to rectification: You have the right to obtain rectification of your Personal Information that is inaccurate or incomplete.
• Right to object: You may object to certain types of Processing of your Personal Information. we will reasonably accommodate such objections, as appropriate, and if granted, the Company will no longer Process your Personal Information unless we have compelling legitimate and lawful grounds to Process it. The Company will not subject Individuals to any disciplinary action for objecting to the Processing of Personal Information.
• Right to deletion: You may ask us to delete your Personal Information in specific cases such as when: we no longer need that information; You withdraw your consent to the Processing and we do not have any other legal ground for the Processing; your Personal Information has been Processed unlawfully; or when deletion is required by law.
• Right to restriction: You may request that we limit the way in which we Process your Personal Information where (i) You contest the accuracy of your Personal Information; (ii) the Processing is unlawful and You do not want your Personal Information deleted; (iii) we no longer need your Personal Information for the Processing, but You request we retain it in anticipation of a potential legal claim; or (iv) You objected to the Processing and we are reviewing whether we have an overriding interest to keep Processing the Personal Information.
• Right to withdraw consent: Where the Company relies on consent to Process Personal Information, You have the right to withdraw consent at any time, without affecting the lawfulness of Processing before the consent withdrawal.
• Right to data portability: You may also have the right to data portability, which means the ability to easily transfer your Personal Information to another company, when You provided your Personal Information directly to us, and where the Processing is based on your consent or is necessary for the performance of a contract.
• Right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority of your habitual residence, where You have your place of work or where the alleged infringement took place.

If you reside in the United States, you may have additional rights as set out in our United States Privacy Policy.

Please be aware, that if You exercise your right to object or your rights of restriction or deletion, or if You decline to share certain information with us, we may not be able to assess your application. Also, some of these rights may be limited in certain circumstances by local law.

You can contact the DPO as described in the “How to Contact Us" section below.

The Company maintains appropriate administrative, technical, and physical safeguards to protect Personal Information of Individuals against the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed. More information about our security policies is available upon request.

When your Personal Information is no longer necessary for the original purposes for which we Processed it, we either delete such Personal Information or maintain it in a non-identifiable form (unless we are required by applicable law to keep this information for a longer period).

When determining the retention period, we consider various criteria such as the nature and length of our relationship with You, business needs, statutory retention periods and any retention necessary to anticipate legal actions in accordance with any applicable statute of limitations. The periods are indicated in Mastercard retention policies per country which reflect local legal requirements.

If you are hired by us, we will keep your Personal Information for a longer period as part of our employment relationship. For information as to how we process your Personal Information in connection with your employment, please review the applicable workplace Privacy Notice, which is available upon hire and on our intranet.

For further guidance on the applicable retention periods, please contact the Data Protection Officer (“DPO") as described in the "How to Contact Us" section below.

Mastercard is a global business. During the recruitment process, we may transfer the Personal Information we collect about you to recipients in countries other than your country, including the United States, where we are headquartered. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer your Personal Information to other countries, we will protect that information as described in this Notice or as disclosed to you at the time of data collection.

We comply with applicable legal requirements when transferring Personal Information to countries other than the country where you are located. In particular, we have established and implemented Binding Corporate Rules ("BCRs") that have been recognized by EEA data protection authorities as providing an adequate level of protection to the Personal Information we process globally. We equally rely on UK BCRs to transfer Personal Information outside of the United Kingdom. A copy of our BCRs are available here.

We may also transfer Personal Information to countries for which adequacy decisions have been issued (see list of countries for which the European Commission has issued an adequacy decision here), use contractual protections for the transfer of Personal Information to third parties, such as the European Commission’s Standard Contractual Clauses or their equivalent under applicable law, or rely on other data transfer mechanisms where applicable.

Additionally, Mastercard’s privacy practices, described in this Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Information transferred among participating APEC economies. More information about the APEC framework can be found here.

If you are located in mainland China, you understand that we may transfer the Personal Information we collect about you to recipients in countries or regions other than mainland China, including Mastercard International Incorporated in the United States, Mastercard Asia/Pacific Pte. Limited in Singapore and to other affiliates as listed here. When we conduct international transfers of Personal Information, we will comply with requirements stipulated under applicable laws. By applying for a position with us, you will be deemed as having consented to our cross-border sharing of your Personal Information to recipients in countries or regions other than mainland China in accordance with this Notice.

You may contact us as described in the "How to Contact Us" section below to obtain a copy of the safeguards we use to transfer Personal Information and, in certain jurisdictions, learn more about how we transfer your Personal Information internationally.

Mastercard may from time to time make changes to this Notice to reflect changes in its legal or regulatory obligations, or to reflect changes in the manner in which we Process your Personal Information or for any other reason we deem appropriate. We will notify you in case of substantial changes to this Notice.

Mastercard International Inc. is Mastercard’s global headquarters and the entity responsible or “Data Controller” for the Processing of Personal Information described in this Notice.

If You applied for a position with or are employed by a local affiliate of Mastercard, that affiliate is the entity responsible for the Processing of Personal Information described in this Notice. If You applied for a position located in the EEA, please refer to Appendix A – Local Mastercard Entities for a list of the local Mastercard entity that is acting as Your data controller.

If you have any questions, comments or complaints about this Notice and our privacy practices, or would like to update your privacy preferences, please email us at: privacyanddataprotection@mastercard.com or write to us at:

Global Privacy Office
Mastercard International Incorporated
2000 Purchase Street
Purchase, New York 10577
USA

If you are located in California, to exercise your rights under the CCPA, you may submit your request by emailing us at: privacyanddataprotection@mastercard.com, or call our toll-free number: 1-833-244-4084.

If you are located in the EEA, Mastercard Europe SA is the entity responsible for the processing of your Personal Information (or data controller). You may submit your request to exercise your rights to your Personal Information by emailing us at: privacyanddataprotection@mastercard.com, or write to us at:

Europe Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
B-1410 Waterloo
Belgium

If you are located in Brazil, Mastercard Brasil Soluções de Pagamento Ltda. is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information by emailing us at: privacyanddataprotection@mastercard.com or write to us at:

Brazil Data Protection Officer
Mastercard Brasil Soluções de Pagamento Ltda.
Avenida das Nações Unidas, 14.171, 20º andar, Crystal Tower
São Paulo/SP
Brasil
CEP 04794-000

If you are located in Asia Pacific (excluding mainland China), Middle East or Africa, Mastercard Asia Pacific Pte. Ltd. is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information by emailing us at: privacyanddataprotection@mastercard.com or write to us at:

Asia Pacific, Middle East and Africa Data Protection Officer
Mastercard Asia/Pacific Pte Ltd
3 Fraser Street, DUO Tower, Level 17
Singapore 189352

If you are located in mainland China Mastercard Shanghai Business Consulting Ltd. is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information by emailing us at: privacyanddataprotection@mastercard.com or write to us at:

China Data Protection Officer
Room 2907-14, Part of 29/F Tower 2
Shanghai IFC, 8 Century Avenue
China (Shanghai) Pilot Free Trade Zone

If you are located in Quebec, Canada, you may contact our Data Protection Officer at privacyanddataprotection@mastercard.com.

For more information on Mastercard’s privacy practices in other contexts, please refer to our Global Privacy Notice.

LAST UPDATED: March 16, 2023

Application

This U.S. Privacy Addendum supplements the information contained in the global Mastercard Applicant Privacy Notice for California residents, as indicated below.

Additional disclosures for California residents

If you are a California resident from whom we collect Personal Information as a business under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (“CCPA”), you may rely on the global Mastercard Applicant Privacy Notice and the additional information below.

For the purpose of this section for California residents, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or as otherwise defined by the CCPA. Personal Information does not include information that is publicly available, deidentified, or aggregated (as those terms are defined in the CCPA) or otherwise excluded from the scope of the CCPA.

1. Categories of Personal Information about you that we Collect and Disclose

The chart below provides the categories of Personal Information (as defined by the CCPA) we have collected and disclosed for a business purpose.

Category	We Collect	We Disclose
A. Identifiers. Examples: Personal and business contact information (e.g., name, postal address, telephone number, job title), unique personal identifiers or numbers, online identifier, device identifier(s), internet protocol address, email address, and similar identifiers. We may collect this information about other people if you give us their information. We may also associate information that you submit to us, such as content on our social media pages, with your identifiers.	Yes	Yes
B. Categories of Personal Information in Cal. Civ. Code Section 1798.80(e). Examples: Name, address, telephone number, email address, and IP address.	Yes	Yes
C. Characteristics of Protected Classifications under California or Federal Law. Examples: Gender, family status, age range, and military and veteran status.	Yes	Yes
F. Internet or Other Electronic Network Activity Information. Examples: Cookie and web beacon data, IP address, and pages viewed and actions you take on our online properties and apps.	Yes	Yes
H. Sensory Information. Examples: Photographs, audio recordings, and video recordings.	Yes	Yes
J. Non-Public Education Information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99). Examples: Records that are directly related to a student maintained by an educational agency or institution or by a party acting for the agency or institution.	Yes	Yes
I. Professional or Employment-Related Information. Examples: Professional information such as job title, department, and business unit. Additionally, information you provide as part of your job application, e.g., contact information and employment history.	Yes	Yes
K. Inferences Drawn from Personal Information. Examples: Personal characteristics and interests.	Yes	Yes
L. Sensitive Personal Information. Examples: Racial or ethnic origin (as required by applicable law). (We note, however, that we do not use or disclose sensitive personal information for purposes which would require us to offer consumers the right to limit our collection and processing of this data under the CCPA).	Yes	No




2. Sources of Collection of Personal Information

We have collected Personal Information from the following categories of sources:

• You/Your Devices: You or your devices directly.
• Affiliates.
• Employees: members of our internal departments to the extent that they are involved in the recruitment and/or hiring process.
• Social Networks, such as LinkedIn.
• Third Parties: such as former employers, educational institutions, background check agencies, credit reporting agencies, and independent service providers acting as a business (always in compliance with applicable law).
• Public: Publicly accessible sources.



3. Use of your Personal Information

We collect, use, and disclose your Personal Information in accordance with the specific business and commercial purposes described in Section 2 of the Mastercard Global Applicant Privacy Notice, entitled “How We May Use Your Personal Information”.

4. Disclosure of your Personal Information to Third Parties

With respect to the categories of Personal Information identified above in Section 1, we disclose your Personal Information to the following categories of third parties:

• Mastercard Personnel: members of our internal departments to the extent that they are involved in the recruitment and/or hiring process. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Internet or Other Electronic Network Activity Information; Sensory Information, Non-Public Education Information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99), Professional or other Employment-related Information, Inferences Drawn from Personal Information, or Sensitive Personal Information.
• Affiliates. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Internet or Other Electronic Network Activity Information; Sensory Information, Non-Public Education Information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99), Professional or other Employment-related Information, or Inferences Drawn from Personal Information.
• Vendors: Vendors and service providers. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Internet or Other Electronic Network Activity Information; Sensory Information, Non-Public Education Information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99), Professional or other Employment-related Information, or Inferences Drawn from Personal Information.
• Third Parties as Legally Required: Third parties as required by law and similar disclosures. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; or Professional or other Employment-related Information.
• Third Parties in Merger/Acquisition: Third parties in connection with a merger, sale, or asset transfer. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; or Professional or other Employment-related Information.



We do not have actual knowledge that we sell Personal Information of consumers under 16 years of age or that we share Personal Information of consumers under 16 years of age for CCBA.

We do not sell your Personal Information or “share” Personal Information with third parties for “cross-context behavioral advertising”.

We do not collect, use or discloses sensitive personal information for purposes other than those permitted by the CCPA.

Retention

We take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as, the nature and length of our relationship with you, the impact on your application if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.

5. Your Privacy Rights

If you are a California resident, you have the rights as set out in this section and may exercise them by following this guidance.

Your rights:

Right to Know and Access. You may submit a verifiable request for (as applicable to you as a Mastercard job applicant) information regarding the: (1) categories of Personal Information collected, or disclosed by us; (2) purposes for which categories of Personal Information are collected by us; (3) categories of sources from which we collect Personal Information; (4) categories of third parties with whom we disclosed Personal Information; and (5) specific pieces of Personal Information we have collected about you.

Right to Delete. Subject to certain exceptions, you may submit a verifiable request that we delete Personal Information about you that we have collected from you.

Right to Correct. You have the right to correct inaccurate Personal Information that we maintain about you.

Verification. Requests for access, deletion, or correction of Personal Information are subject to our ability to reasonably verify your identity in light of the information requested pursuant to relevant CCPA requirements, limitations, and regulations. Mastercard is committed to secure personal information. When applicants exercise their privacy rights via email, we verify their identity by using their contact information (email and/or name, surname or employee identification number (for active employees applying for new positions).

Right to Not Receive Discriminatory Treatment. You have the right not to receive discriminatory treatment for the exercise of your CCPA privacy rights, subject to certain limitations. We will not retaliate against you for exercising your CCPA privacy rights.

How to Submit Data Subject Rights Requests as a job applicant:

To exercise your rights under the CCPA, please submit your request to privacyanddataprotection@mastercard.com, or call our toll-free number: 1-833-244-4084.

Authorizing an Agent. If you are acting as an authorized agent to make a request to know, delete, correct, or opt out on behalf of a California resident, you may email us at privacyanddataprotection@mastercard.com, or call our toll-free number: 1-833-244-4084. Please note that we will require you to attach a written authorization signed by the resident whose Personal Information will be subject to the request.