MSC Locations

Invoicing/Credit

Periodic Billing

Legal Notices

Modern Slavery Act Transparency

Sponsorship / Donation Requests

SDS & Regulatory Documents

California Privacy Policy

Return Policy

Conflict Minerals Policy

Sales Tax Exemption Forms

Shipping Options

Terms and Conditions of Sale

Website Terms of Use

Notice and Privacy Policy to Employee and Applicants Under the CCPA/CPRA

In accordance with the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CPRA”), the Company is providing you with this Notice and Privacy Policy to inform you of information covered by the CPRA that the Company collects and certain information and rights related to thereto.

Categories of Personal Information Collected and Purposes of Collection

The following chart identifies the categories of personal information that the Company collects on you and the purposes for which the categories of personal information are or will be used.If you are an existing employee, the Company has already collected some of this information, and some of this information will or may be collected in the future.

Category of Personal Information*	Collected	Purposes
A. Identifiers: Real name, postal address, unique personal identifier (File ID#), phone number, photograph, internet protocol address (if you access the Company’s systems remotely), email address, bank account name and information, social security number, driver’s license number, state identification card (if applicable), passport and business visa numbers, Company system username, log-in and passwords or access code.	Yes.	As applicable for payroll, record keeping, time keeping, benefits administration, background checks, expense reimbursements, company communications, travel authorization, performance management, training and development, security clearances, access authorization for facilities and systems, defending or pursuing legal matters, workplace investigations, headcounts, work assignments, administration of diversity and inclusion initiatives, tax and other governmental compliance and reporting, and to engage in other legitimate business purposes reasonably required for our day-to-day operations such as accounting, financial reporting and business planning.
B. Biometric information. Identifying information, such as, fingerprints, faceprints, and voiceprints, or iris or retina scans.	No.
C. Characteristics of protected classifications under California or federal law. Race, color, national origin/nationality, immigration and citizenship status,physical or mental disability (if applicable), medical conditions (if applicable), genetic information (if applicable), marital or domestic partner status, gender, gender expression, date of birth, military or veteran status.	Yes.	EEO-1 and mandated governmental reporting; benefits (i.e., date of birth if applicable); IT management (i.e., nationality/country in which you work); beneficiary information (includes spouse and dependent names, SSNs, DOB, and other information that you provide); addressing leave requests and disability accommodations, short term or long term disability benefits, workers compensation and similar issues as applicable (i.e., physical or mental disability (if applicable), authorization to work in the US, or on work with access to CUI (immigration and citizenship status); medical conditions (if applicable); administration of diversity and inclusion initiatives.
D. Professional or Employment Related Information Employment history, education, employment status, special training, certifications and qualifications.	Yes.	Hiring and promotion, employment decisions, job assignments, compensation, training and development, security clearances, workplace investigations, compliance with legal requirements.
E. Education Information defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g; 34 C.F.R. Part 99).	No.	N/A
F. PI under 1798.80(e): Signature, company provided health insurance information (policy numbers or subscriber number), medical information.	Yes.	Contracts, acknowledgments, benefits, addressing leave requests and disability accommodations, short term or long term disability benefits, workers compensation and similar issues as applicable.See also Sections A, C, and D above.
G. Internet or other Electronic Network Activity Information including, but not limited to, browsing history, search history, and information regarding interaction with Company’s website, network and communication systems.	Yes.	Productivity and workflow analysis, workplace investigations, compliance with company policies and applicable law, administration of information security policies and safeguards.
H. Geolocation data. Physical location or movement	Yes.	Company-owned mobile devices and PCs, as well as employee-owned mobile devices enrolled in Company’s BYOD program, include geolocation data which may be used by the Company for purposes of administration of information security policies and safeguards (i.e., determining location of a lost or stolen device), performance management, and workplace investigations.
I. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	No.
J. Audio, electronic, visual, thermal, olfactory, or similar information.	Yes.	Telephone call monitoring on company systems for performance management security cameras, Productivity and workflow analysis, workplace investigations, compliance with company policies and applicable law, security (physical and access to Company systems).
K. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. N/A	No.	N/A
L. Sensitive personal information. Defined as a Social Security number, driver’s license number, state identification card number, or passport number, account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password or credentials allowing access to an account, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, or union membership, the contents of mail, email and text messages unless the business is the intended recipient of the communication, genetic data, biometric information to uniquely identify the employee, personal information collected and analyzed regarding your health, citizenship and immigration status, and neural data (information that is generated by measuring the activity of a consumer’s central or peripheral nervous system and that is not inferred from nonneural information).	*Yes.**	Benefits administration, payroll, wellness program, security clearances, ensuring the security and integrity of the Company’s networks, equipment, information and systems, to ensure compliance with Company policies and to address noncompliance, responding to requests for accommodation or leave, to investigate suspicion of criminal activity, and for compliance with legal requirements.See also applicable categories above where such information is identified. *Company does not collect credit card number in combination with any required security or access code except if Associate makes the independent decision to purchase products from the Company either under the Associate Purchase Program or otherwise. Company does not collect religious beliefs (except in connection with an employee request for a religious accommodation) or philosophical beliefs, biometric data, genetic data except where necessary in connection with a request for accommodation or leave, neural data, or union membership.

*Please note that all work related communications, all passwords used for access to Company systems, property and devices, and all use of the Company’s networks, electronic devices, and communication systems, are considered the property of the Company.

MSC uses an application by OwnID to allow Associates to login to the MSC ecommerce websitethrough biometric identification embedded in the Associates’ smartphones and similar devices for purposes of enabling login authentication.Use of the OwnID application is voluntary and isan alternative to entering a username and password.OwnID has represented to MSC that it does not collect or process a user’s biometric information.Likewise, MSC does not access or process the biometric information. Associates using company phones who choose to use the OwnID application should reset Face ID on their iPhones, and delete any other biometric information on the iPhone, when they return the devices to MSC.MSC generally wipes company phones when returned by the associate, but may retain and image the device if needed for purposes of investigation, litigation or business continuity. More information regarding OwnID is available on OwnID’s website, which can be accessed by this link: https://www.ownid.com/.

Selling and Sharing

The Company does not sell employee and applicant personal information and does not share employee and applicant personal information with third parties for cross context behavioral advertising.

Disclosure to Third Parties

Company may disclose all categories of information listed above that we collect to service providers (such as but not limited to payroll and benefit providers, legal counsel, security consultants, and application providers) to the extent reasonably necessary for various business and commercial purposes. The Company does not disclose employee personal information to third parties for a business purpose if they are not service providers.

Retention Periods

The Company does not retain your personal information for longer than necessary for the purposes set out in this notice and policy. Different retention periods apply for different types of personal information, and in most cases the Company uses the purpose for which the Company collected the personal information to determine the length of time that the Company needs to retain it.In some instances, such as when required by law, we may retain the information for a longer period.Other criteria considered in the length of retention include the nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, and third party requirements on retention.

Categories of Sources from Which We Collect Your Personal Information

The Company obtains the categories of personal information listed above from the following categories of sources:

Directly from you. For example, from forms you complete or information that you send to the Company.
Indirectly from you. For example, from observing your performance, observing your actions on the Company’s website or technology resources, and/or from cookies on our Website.
Feedback from your supervisors and managers.
From service providers.

The Company also collects personal information when you interact with us or apply for a position with us. The personal information we collect about you will vary by context.

Your Rights and Choices

California law provides covered California residents with specific rights regarding their personal information. This section describes your rights and explains how to exercise those rights.These rights are subject to certain limitations, as set forth in the CPRA.For example, these rights do not restrict the Company’s obligations to comply with applicable law or a court order, subpoena or a governmental authority’s civil, criminal or regulatory inquiry or investigation, exercise or defend legal claims, use or retain personal information that is de-identified, or cooperate with law enforcement.These rights also do not apply to protected health information under HIPAA or background checks subject to the Fair Credit Reporting Act.

Access to Specific Information and Data Portability Rights

You have the right to request that the Company disclose certain information to you about our collection and use of your personal information over the 12 months preceding the Company’s receipt of your request (unless government regulations on the CPRA provide for a longer period). Once we receive and confirm your verifiable request (see Exercising Access, Data Portability, Deletion, and Correction Rights), we will disclose to you:

The categories of personal information we collected about you, including sensitive personal information.
The categories of sources for the personal information we collected about you.
Our business or commercial purpose for collecting that personal information (and selling or sharing that personal information, if in the future the Company sells or shares).
The categories of third parties (if any) with whom we share that personal information.
The specific pieces of personal information we collected about you.
In connection with any personal information the Company may sell, share, or disclose to a third party for a business purpose (if any), you have the right to know:
- The categories of personal information about you that the Company sold or shared and the categories of third parties to whom the personal information was sold or shared; and
- The categories of personal information that the Company disclosed about you for a business purpose and the categories of persons to whom the personal information was disclosed for a business purpose.

You also have the right under the CPRA to receive certain specific pieces of personal information that were obtained from you.

These rights are subject to certain exceptions.For example, the CPRA does not require disclosure of trade secrets, disclosure that would adversely affect the rights and freedoms of other people, or information covered by the attorney-client privilege.The Company is not obligated to provide information to the same employee or applicant more than twice in a 12-month period.

Deletion Request Rights

You have the right to request that the Company delete your personal information that the Company collected from you and retained, subject to certain exceptions.After the Company receives and confirms your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), the Company will delete (and direct the Company’s service providers to delete) your personal information from the Company’s records, unless an exception applies.

The Company may deny your deletion request if retaining the information is necessary for the Company or our service provider(s) or contractors to:

Complete the transaction for which the Company collected the personal information, provide a good or service that you requested or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform the Company’s obligations to you;
Detect security incidents, ensure the physical safety of individuals, or resist or prosecute malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
Use the information for internal uses reasonably aligned with your expectations based on your relationship with the Company and compatible with the context in which you provided the information to the Company;
Debug products to identify and repair errors that impair existing intended functionality;
Exercise free speech, ensure the right of another person to exercise their free speech rights, or exercise another right provided for by law;
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent; or
Comply with a legal obligation.

The Company has the right to deny your deletion request if deletion is impossible or would involve disproportionate effort or would adversely affect the rights and freedoms of another individual.

Right to Correction

You have the right to request correction of inaccurate personal information maintained by the Company about you. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate personal information taking into account the nature of the personal information and the purposes of the processing.This right is subject to certain exceptions, including to the extent that correction would adversely affect the rights and freedoms of other individuals, correction is impossible or would involve disproportionate effort, or in certain other instances set out in government regulations.

Exercising Access, Data Portability, Deletion, and Correction Rights

To exercise the access, data portability, correction and deletion rights described above, please submit a verifiablerequest to the Company by either:

Completing a request form available at https://www.mscdirect.com/customer-service/employee-contractor-webform
Calling us, toll-free, at 1-800-645-7270; or
Email us at legaldept@mscdirect.com

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable request related to your personal information.

You may only make a verifiable request for access or data portability twice within a 12-month period. The verifiable request must:

Provide sufficient information that allows the Company to reasonably verify you are the person about whom the Company collected personal information or an authorized representative.
Describe your request with sufficient detail that allows the Company to properly understand, evaluate, and respond to it.

The Company cannot respond to your request or provide you with personal information if the Company cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable request does not require you to create an account with the Company. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.

The Company will only use personal information provided in a verifiable request to verify the requestor's identity or authority to make the request.

Response Timing and Format

The Company tries to respond to a verifiable request within forty-five (45) days of its receipt. If the Company requires more time (up to an additional 45 days), the Company will inform you of the reason and extension period in writing.

If you have an account with the Company, the Company will deliver our written response to that account. If you do not have an account with us, the Company will deliver our written response by mail or electronically, at your option.

The response will also explain the reasons the Company cannot comply with a request, if applicable. For data portability requests, the Company will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

The Company does not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If the Company determines that the request warrants a fee, the Company will tell you why the Company made that decision and provide you with a cost estimate before completing your request.

Protection Against Retaliation

You have the right not to be discriminated against by us because you exercised any of your rights under the CPRA.The Company will not retaliate against an employee, applicant for employment or independent contractor for exercising their rights under the CPRA.

Questions

If you have any questions regarding this Policy or the Company’s privacy practices, please contact:
Yolanda Brock
Counsel, Employment & Compliance
yolanda.brock@mscdirect.com
(704) 987-5476

May 28, 2025

Customer Service