Job Applicant Privacy Notice

Data controller: AECOM (the Organization),

As part of any recruitment process, AECOM collects and processes personal data relating to job applicants. The organization is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

What information does AECOM collect?

AECOM collects a range of information about you. This includes:

  • your name, address and contact details, including email address and telephone number;
  • details of your qualifications, skills, experience and employment history;
  • whether or not you have a disability for which the organization needs to make reasonable adjustments during the recruitment process;
  • information about your entitlement to work in a particular country of employment; and
  • on a voluntary basis, equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.

The organization collects this information in a variety of ways. For example, data might be provided in the Candidate Profile, contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment, including online tests.

AECOM will also collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks. The organization will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.

Why does AECOM process personal data?

AECOM needs to process data to take steps at your request prior to entering into a contract with you. We also need to process your data to enter into a contract with you.

In some cases, the organization needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant’s eligibility to work before employment starts.

The organization has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the organization to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decide to whom to offer a job. The organization may also need to process data from job applicants to respond to and defend against legal claims.

Where the organization relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not.

The organization processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

Where the organization processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes and purely on a voluntary basis.

For some roles, the organization is obliged under the law to conduct denied parties screening or seek information about criminal convictions and offences. Where the organization seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.

Who has access to data?

AECOM has contracted with a trusted third-party service provider to manage its online employment application process. AECOM’s third-party provider has agreed to comply with all regulations applicable to the protection of your personal information. The provider will use candidate information only to process AECOM employment applications in accordance with AECOM’s instructions and not for any other purpose. The provider will not disclose any personal information to any third party. During the recruitment process, candidate information will be accessed internally only by those AECOM employees who are involved in the recruitment process.

In the Candidate Profile form we notify you which fields are mandatory for the application process and which are optional. Personal information submitted through the Candidate Profile will be made available to recruiters across all AECOM business lines and geographies. Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

Because AECOM is a global multinational company, your application and the personal information that you submit may be used globally in connection with recruitment processes within the Company. Consequently, your personal information may be transferred across national borders and may be accessed by AECOM affiliates in countries with different laws providing varying degrees of protection for your personal information. AECOM will abide by any local laws applicable to collection and transfer of Personal Information. AECOM and its corporate affiliates may use your personal information in connection with the position in which you have expressed an interest or to contact you in the future about other positions, within AECOM, that may match your skills and experience.

The organization will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. The organization will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks. In exceptional circumstances, candidate personal data may be processed and retained for the purpose of immigration requirements, including the sharing of that data with legal advisers and the Government Bodies, and the length of time data may be stored will be in accordance with laws relating to these requirements.

EU-U.S. Privacy Shield

AECOM complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union to the United States. AECOM has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view our certification, please visit

AECOM’s participation in the Privacy Shield applies to all Personal Information that is transferred from the European Union and European Economic Area and Switzerland to the United States. AECOM will comply with the Privacy Shield Principles in respect of such Personal Information.

AECOM’s accountability for Personal Information that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, AECOM remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to Process the Personal Information on its behalf do so in a manner inconsistent with the Privacy Shield Principles, unless AECOM proves that it is not responsible for the event giving rise to the damage. AECOM may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have a Privacy Shield-related (or general privacy-related) question, we encourage you to contact us at AECOM has designated JAMS, an alternative dispute resolution provider, to address complaints and provide appropriate recourse free of charge to individuals with respect to the Privacy Shield. Individuals may contact JAMS at As explained in the Privacy Shield Principles, a binding arbitration option will be made available to you in order to address residual complaints not resolved by any other means. AECOM is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

How does the organization protect data?

The organization takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, altered, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

AECOM’s information security processes provider for the classification of information and the assignment of protection requirement and information security controls based on the classification of information. The safeguards used to protect Personal Information should be commensurate with the type of Personal Information being processed and the risks involved.

Your rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request;
  • require the organization to change incorrect or incomplete data;
  • require the organization to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
  • object to the processing of your data where the organization is relying on its legitimate interests as the legal ground for processing; and
  • ask the organization to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the organization’s legitimate grounds for processing data.

If you would like to review or edit the personal information you have submitted, please login to your account and click on the ‘Edit your profile’ link.

If you would like to delete the personal information you have submitted, please log in to your accounts, and from the ‘Edit your profile’ page, and click the ‘Delete profile’ button.

For how long does the organization keep data?

Unless you delete your personal information, we will retain it for a minimum of 12 months from your last update, unless otherwise required by law. If you are hired by AECOM, we will retain the personal information you have submitted as part of your employment record for the term of your relationship with AECOM and for any post-termination period permitted or required by law.

If you believe that the organization has not complied with your data protection rights, you can complain to the Information Commissioner.

What if you do not provide personal data?

You are under no statutory or contractual obligation to provide data to the organization during the recruitment process. However, if you do not provide the information, the organization may not be able to process your application properly or at all.

Automated decision-making

Recruitment processes are not based solely on automated decision-making.