Global Privacy Notice

Revised February 12, 2020

1. Purpose and Scope

In the regular course of business, AECOM, its subsidiaries and affiliates (collectively, “AECOM”) acquires Personal Information by interaction and communication with potential, current or past job applicants, clients, vendors, contractors, sub-contractors and other third parties. AECOM takes seriously its obligations to protect such Personal Information.  As evidence of its commitment to privacy, AECOM has established this Global Privacy Notice (“Privacy Notice”) about how AECOM collects, uses, processes and stores your Personal Information.

AECOM will only process your Personal Information in accordance with this Privacy Notice unless otherwise required by applicable law. The organization takes steps to ensure the Personal Information collected about you is adequate, relevant, not excessive, and processed for limited purposes.

This Privacy Notice does not cover data rendered anonymous. Data is rendered anonymous if individual persons are no longer identifiable.

You are under no obligation to provide Personal Information to AECOM.  However, if you do not provide the information, AECOM may not be able to provide the requested service to you.

2. Definitions

AECOM uses the following definitions:

  1. Data Privacy” means the legal rights and expectations of individuals to control how their Personal Information is collected and used.
  2. Personal Information” means any information relating to an identified or identifiable natural person
  3. Processing” means any operation or set of operations that is performed upon Personal Information
  4. Sensitive Personal Information” has definitions that vary from country to country. For example, European data protection laws treat certain categories of Personal Information as especially sensitive, e.g., biometric, information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying medical or health conditions, or sex life.

3. Data Collected and Purpose

Category 

Personal Information

Purpose            

General Personal Information

Full Name, Telephone Number, including Mobile, Address, Email Address

a.       Communicate with job applicants, clients, vendors, contractors, sub-contractors and other third parties concerning AECOM employment opportunities, projects and business operations

b.       Administer background/clearance checks, legal due diligence/anti-corruption screening, and quality, occupational health and safety standard checks on job applicants, vendors, contractors and sub-contractors

c.       To verify individual’s identity

d.       Recording of working time and timesheet records for contractors and sub-contractors

e.       Incident response communications with customers, vendors, contractors, sub-contractors and other third parties

f.        Administration of safety and protection of AECOM employees, resources, and workplaces

Business Relationship Status (e.g., visitor, vendor, contractor, sub-contractor)

a.       Ensuring access to correct areas is granted for customer staff, vendors, contractors and sub-contractors

b.       Identification purposes for physical site access and security

c.       Recording of working time/timesheet records for contractors and sub-contractors

Emergency Contact/Next of Kin Name and Telephone Number

a.       Emergency contact use for contractors and sub-contractors

Date of Birth, Nationality, Citizenship, Country of Birth

a.       To administer eligibility to work checks

b.       Administer denied parties, legal due diligence/anti-corruption screening, and quality, occupational health and safety standard checks on vendors, contractors and sub-contractors

Gender

a.       Requirements for reporting on diversity and equality

Government Issued Identification / Passport Number/ National ID

a.       Accounting/government tax and auditing business purposes for vendors, contractors and sub-contractors

b.       To run checks for suitability for work for vendors, contractors and sub-contractors

c.       To verify individual’s identity

Username/Unique Identifier and Password

a.       System access and authentication

b.       Administration of safety and protection of AECOM systems for recording and monitoring network activity for the purpose of identifying, predicting, and preventing the entry of malicious activity onto or the release of information from AECOM network and computing resources

Medical (e.g., Medical Certificate)

a.       Required by Occupational Health surveillance laws related to individual’s functional ability and fitness for specific work, with any advised restrictions

b.       To make reasonable adjustments based on disability

c.       Reporting of worksite safety incidents

Insurance Policy Number

a.       Administer quality standard checks on vendors, contractors and sub-contractors

Financial Information

Bank Information, including Routing and Account Number

b.       Remuneration for vendor, contractor or sub-contractor services

c.       Administer denied parties, legal due diligence/anti-corruption screening for vendors, contractors, or sub-contractors

Social Information

Job Titles

Skills/Work History

Experience History

Training and Certification Records

Evaluations

References /Background Check

a.       To administer eligibility to work before employment starts

b.       To administer quality, safety and compliance checks and reviews to qualify third party contractors for performing work in accordance with applicable quality standards such as ISO 9001 and NQA-1, including use of individuals who are required to maintain specific qualifications or certifications.

c.       Manage AECOM business and project-related operations

Biometric

Fingerprint scanning, photograph

a.       Identification purposes for physical site access and security of certain site locations and project worksites.

Voluntary

Ethnic origin, sexual orientation, health and religion or belief

a.       Administer equal opportunities monitoring

4. How Data is Collected

We use different methods to collect data from and about you:

  1. Direct Interactions: You give us your Personal Information when contacting us through candidate profiles, through interviews, or in response to surveys, jobs, projects, bids, through quality and compliance questionnaires, proposals or other means. This includes information you provide when you submit your CV/resume or contact details through our website or email.
  2. Third Parties or Publicly Available Sources: AECOM may obtain information about you from a representative of your company (if we are sub-contracting services), publicly available online records, background check providers, criminal records check, or past or current professional references you supply to us. The organization will seek information from third parties only once a job offer or business opportunity has been made and will inform you or your company representative that it is doing so.

We do not undertake automated decision making or profiling on Personal Information or Sensitive Personal Information.

5.  Legal Basis for Processing

For AECOM to process Personal Information we must have a lawful basis for doing so and at least one of the following must apply:

  1. Consent: an individual must give clear consent for us to process their personal information and then only for a specific purpose.
  2. Contract: the processing is necessary for a contract that AECOM has with an individual, or because we have asked the individual to take specific steps before entering into a contract.
  3. Legal Obligation: the processing is necessary for AECOM to comply with the law.
  4. Vital Interests: processing is necessary to protect someone’s life.
  5. Public Task: the processing is necessary for AECOM to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  6. Legitimate Interests: the processing is necessary for the purposes of the legitimate interests pursued by AECOM or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data where the data subject is a child.

Unless otherwise required by applicable data protection law, AECOM relies on legitimate interests for processing Personal Information during the recruitment process, forming contractual business relationships, and complying with legal requirements.  Where AECOM relies on legitimate interests as a reason for processing Personal Information, it has considered whether those interests are overridden by the rights and freedoms of individuals affected by that need.

 

AECOM adheres to the following guidelines to ensure that its collection of Personal Information is fair and lawful. Specifically, AECOM:

  1. Collects only as much Personal Information as is required by law or needed for reasonable and legitimate business purposes.
  2. Collects Personal Information in a non-deceptive manner.
  3. Where appropriate, informs individuals which Personal Information is required, and which is optional at the time of collection.
  4. Collects Personal Information from individuals consistent with local legal requirements.

AECOM may need to collect Sensitive Personal Information. Where required under applicable local law, such Personal Information will be processed with consent. Where required by applicable local law or the EU-U.S. Privacy Shield, consent to transfers or uses of Sensitive Personal Information will be opt-in.

6.  Use and Retention

AECOM uses, stores, retains, and otherwise processes Personal Information only for reasonable business purposes and for only as required for that business purpose or as authorized.

AECOM does not disclose Personal Information to third parties for direct marketing purposes, nor does it sell Personal Information.  Processing of Personal Information will comply with contractual, regulatory, and local legal requirements.

AECOM stores and destroys Personal Information based on AECOM data retention policies and procedures.  AECOM retains the data for as long as it serves the purpose of processing for which it was collected or subsequently authorized.

Job candidate Personal Information may be processed and retained for immigration requirements as part of the rehire process, including the sharing of that data with legal advisers and the Government Bodies. The length of time data may be stored will be based on laws relating to these requirements.

7. Data Privacy Rights

Where permitted or required by applicable law, AECOM extends certain data privacy rights to you.

Note that we may be unable to provide you access to your Personal Information in instances where we have destroyed, erased, or anonymized the data, or if it would reveal Personal Information about another person. We may also refuse any request if applicable law allows or requires us to do so.  We will inform you of the reasons for refusal.

  1. The right to request access. You have the right to request AECOM for copies of your Personal Information.
  2. The right to request rectification. AECOM relies on you to ensure the information you provide to AECOM about you is accurate, complete and current. If any Personal Information is inaccurate or incomplete, you may request that your Personal Information be corrected or completed. AECOM will correct or delete Personal Information as required by applicable law. You may also request to correct, amend, or delete Personal Information that has been processed in violation of the EU-U.S. Privacy Shield Principles or applicable data protection law.
  3. The right to request erasure. You have the right to request AECOM delete your Personal Information under certain conditions.
  4. The right to withdraw consent. Where you have provided written consent (or positive opt-in) to the collection, processing, or transfer of Personal Information, you may have the legal right to withdraw consent. Where we have processed your Personal Information with written consent (or positive opt-in), you can withdraw that consent at any time.  Note – withdrawing consent will not affect the lawfulness of any processing we conducted prior to withdrawal nor will it affect the processing of the Personal Information conducted in reliance on a lawful basis other than consent.
  5. The right to request portability. You have the right to request AECOM transfer your Personal Information that we have collected to another organization, or directly to you, under certain conditions.
  6. The right to restrict processing. You have the right to request that AECOM restrict the processing of your Personal Information, under certain conditions.
  7. The right to opt-out of email marketing. You can opt-out of email marketing communications at any time by selecting the email’s “Opt-out” or “Unsubscribe” link, or following the instructions included in each email subscription communication.
  8. The right to file a complaint. If you consider that your privacy rights have not been adequately addressed, you have the right to submit a complaint to the AECOM Privacy Office or with the supervisory authority in your country of residence.

You can submit a request to exercise these data privacy rights to the AECOM Privacy Office at privacyquestions@aecom.com. California residents may also call 888.299.9602. AECOM will request specific information to help confirm identity and rights.

AECOM will not discriminate against individuals for exercising any of their privacy rights allowed or required by applicable data protection law or regulation.

8. Sharing and Onward Transfer

AECOM shares Personal Information in the following ways:

  1. Affiliates: AECOM shares information among AECOM subsidiaries and affiliates for the purposes described in this Privacy Notice where consistent with applicable legal requirements.
  2. Third-Party Suppliers: AECOM shares Personal Information to selected affiliated or trusted third party suppliers to perform services on behalf of the organization.  These trusted third-parties include, but are not limited to Information Technology Providers, Cloud Providers, Data Hosting Services, Denied and Restricted Party Screening Providers, Background Check Providers, and Data Storage Providers.
  3. Clients: AECOM shares certain Personal Information as part of our professional services under contract to our clients, including governmental agencies, for project-related work, security clearances or as required by security protocols.
  4. Other Third Parties: AECOM discloses certain Personal Information to other third parties:
    1. where required by law or legal process (e.g., to tax and social security authorities);
    2. where AECOM determines it is lawful and appropriate;
    3. to protect AECOM’s legal rights (e.g., to defend a litigation suit or under a government investigation or inquiry) or to protect its employees, resources, and workplaces; or
    4. in an emergency where health or security is at stake.
  5. Public Security/Law Enforcement: AECOM may be required to disclose Personal Information in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

AECOM is a global company, with offices, Clients, and Suppliers located throughout the world. As a result, Personal Information may be transferred to other AECOM offices, data centers, and servers in Europe, Asia, South America, or the United States for the purposes identified. Any such transfer of Personal Information shall take place only under applicable law.

AECOM will take steps designed to comply with all applicable local laws when Processing Personal Information, including any local law conditions for and restrictions on the transfer of Personal Information.

AECOM may also protect data through other legally valid methods, including international data transfer agreements or Standard Contractual Clauses that have been recognized by Data Protection Authorities as providing an adequate level of protection to the Personal Information we process globally.

AECOM will ensure all transfers of Personal Information are subject to appropriate safeguards as defined by data protection laws and regulations.

9. EU-US Privacy Shield

AECOM complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union (EU) to the United States. AECOM has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. To view the company’s certification status: https://www.privacyshield.gov/participant?id=a2zt0000000GncYAAS&status=Active.

In the context of an onward transfer AECOM has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. AECOM shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

If there is any conflict between the terms in this Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

AECOM has designated JAMS, an alternative dispute resolution provider, to address complaints and provide appropriate recourse free of charge to individuals with respect to the Privacy Shield. Individuals may contact JAMS at https://www.jamsadr.com/eu-us-privacy-shield. As explained in the Privacy Shield Principles, a binding arbitration option will be made available to you in order to address residual complaints not resolved by any other means. AECOM is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

In compliance with the Privacy Shield Principles, AECOM commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact the Privacy Office at: privacyquestions@aecom.com.

10. Data Security

AECOM has adopted and maintains reasonable and appropriate information security policies, processes and/or procedures to safeguard Personal Information from loss, misuse, unauthorized access, disclosure, alteration, destruction, and other Processing.

AECOM’s information security processes provide for the classification of information and the assignment of protection requirements and information security controls based on the classification of information. The safeguards used to protect Personal Information is commensurate with the level of risk involved.

11. Exceptions

Under certain limited or exceptional circumstances, AECOM may, as permitted or required by applicable laws and regulations or the Privacy Shield if applicable, process Personal Information without providing notice, access or seeking consent. Examples of such circumstances may include investigation of specific allegations of wrongdoing, violation of company policy or criminal activity; protecting employees, the public, or AECOM from harm or wrongdoing; cooperating with law enforcement agencies; auditing financial results or compliance activities; responding to court orders, subpoenas or other legally required disclosures; meeting legal or insurance requirements or defending legal claims or interests; satisfying labor laws or agreements or other legal obligations; collecting debts; protecting AECOM’s information assets, intellectual property and trade secrets; in emergency situations, when vital interests of the individual, such as life or health, are at stake; with respect to access requests, where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or the privacy interests of others would be jeopardized; and in cases of business necessity.

12. Complaints and Questions

If you feel that your rights have not been adequately addressed, you have the right to submit a complaint to the AECOM Privacy Office: privacyquestions@aecom.com or with the supervisory authority in your country of residence.

If you have any questions about this statement or our handling of personal information, please contact the Privacy Office by e-mail at privacyquestions@aecom.com.