Revision 4 September 22, 2023

  1. Purpose and Scope

    AECOM takes your privacy seriously. Please read this privacy notice (“Notice”) carefully as it contains essential information on how and why AECOM and its subsidiaries and affiliates (collectively, “AECOM” or the “Company”) Process your Personal Data. This Notice also explains your rights concerning your “Personal Data” and how to contact Company representatives or supervisory authorities in case you have a complaint.

    Within the context of this Notice, “Personal Data” means any information relating to an individual who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

    “Personal Data” does not cover aggregated data, data rendered anonymous, or data that has been de-identified. Aggregate data relates to a group or category of individuals from which individual identities have been removed. Data is rendered anonymous if individual persons are no longer identifiable. De-identified data is data that has had identifiable elements removed, and cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual.

    To “Process” “Personal Data” means any operation or set of operations performed upon Personal Data, whether by automatic means or otherwise. This includes the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, disclosure by transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure, or destruction of Personal Data.

    The Company will only Process “Personal Data” according to this Notice unless otherwise required by applicable law. The Company takes steps to ensure the “Personal Data” collected is adequate, relevant, not excessive, processed for limited purposes, and stored for no longer than is reasonably necessary in furtherance of those purposes. The Company does not sell “Personal Data”, nor does it share it with third parties for cross-context, behavioural advertising.

    If you do not provide the information requested, we may not be able to provide the services. If you disclose any “Personal Data” relating to other people to us or to our service providers in connection with the services, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

    AECOM collects “Personal Data” directly from you – in person, by telephone, text or email, websites, and apps, or from third-party sources for various business purposes as described herein.

    When the text of this Notice or any supplemental notice is available in multiple languages, the English version is the authoritative version.

  2. What information we collect

    1. Company Public Websites or User Survey

      When expressing interest in AECOM’s products or services, completing a survey, or using our “Contact Us” or similar features, you may have the option to provide contact information such as your name, job title, organization name, address, e-mail address, phone number, comments, and interests.

      1. We use your information for the following purposes:

        1. To manage your relationship with AECOM and better serve you when using the services by personalizing and improving your experience. We also may use such information to analyze how users use the Services and related analysis, research, reporting, and troubleshooting and as we believe is necessary or appropriate to protect, enforce, or defend legal rights, privacy, safety, or property, whether our own or that of our employees or agents or others and to comply with applicable law.

        2. To provide the AECOM website and other services to you, to communicate with you about your use of our site and services, to diagnose technical problems, to respond to your inquiries, and for other customer service purposes.

        3. To support client project-related requirements.

        4. To tailor the content and information that we may send or display to you, to offer location customization, and personalized help and instructions, and to otherwise personalize your experiences while using the Public Website.

        5. To send you marketing information, product recommendations, and other non-transactional communications (e.g., marketing newsletters) about us, including information about our products and services, promotions, special offers, or events as necessary or to otherwise contact you about products or information we think may interest you. You can opt out of being contacted by us for marketing or promotional purposes by following the instructions in the marketing emails we send or by using the information in the Contact Us” section. Additional restrictions on AECOM being able to send you marketing information may apply depending on the jurisdiction.

          We may receive additional information about you from other publicly and commercially available sources, as permitted by law. We may combine all the information we collect or receive about you and use or disclose it as described in this Notice.

          As you navigate AECOM’s public websites, AECOM may collect information such as your Internet Protocol (IP) address, Web browser information, and your actions while on the site. This information will be collected, if at all, using commonly used information-gathering tools, such as cookies and web beacons. Standing alone, this information does not directly identify you personally. You can configure the types of cookies that will be active while browsing with the consent manager accessible from the site.

      2. This section provides more information about some of these technologies and how they work.

          1. Cookies: Cookies are small text files used to store information about users on the users’ own computer. Cookies may be used to recognize you as the same user across different visits to the website. Knowing how a user is using the Services through cookies enables us to tailor our content and Services to meet visitors’ needs more effectively. It also enables us to improve the quality of your visit by making sure that the Services are properly formatted for your computer and web browser. Some Internet browsers can be configured to warn you each time a cookie is being sent or to refuse cookies completely. Refer to your browser help menu for more information. You can also manage cookie tracking directly through the third- party service providers that we use.

         

          1. Google Analytics: You may prevent your data from being used by Google Analytics by downloading and installing the Google Analytics Opt-out Browser Add-on, available at http://tools.google.com/dlpage/gaoptout/. Google’s ability to use and share information collected by Google Analytics about your visits to this Site is restricted by the Google Analytics Terms of Service, available at http://www.google.com/analytics/terms/us.html, and the Google Privacy Policy, available at http://www.google.com/policies/privacy/. To learn more about how Google collects and processes data in connection with Google Analytics, visit http://www.google.com/policies/privacy/partners/.

         

          1. Hotjar: You can opt-out of tracking by Hotjar here: http://www.hotjar.com/terms and can learn about Hotjar’s ability to use and share information through the Hotjar Terms & Conditions of Use, available at http://www.hotjar.com/terms, and the Hotjar Privacy Policy, available at http://www.hotjar.com/privacy/.

         

          1. Wistia: Information collected by Wistia in connection with videos played on this website is covered by Wistia’s Privacy Policy, available at http://wistia.com/privacy.

         

          1. Other local storage: Local Shared Objects (also referred to as “Flash cookies”) and HTML5 local storage are similar to cookies in that they are stored on your computer and can be used to store certain information about your activities and preferences. These objects are stored in different parts of your computer from ordinary browser cookies, however. Many Internet browsers allow you to disable HTML5 local storage or delete information contained in HTML5 local storage using browser controls.

         

          1. Web Beacons: Web beacons can be embedded in web pages, videos, or emails, and can allow a web server to read certain types of information from your browser, check whether you have viewed a particular web page or email message, and determine, among other things, the time and date on which you viewed the Web beacon, the IP address of your computer, and the URL of the web page from which the Web beacon was viewed.

         

          1. Do Not Track Signal: Some web browsers may transmit “do-not-track” signals to the websites with which the user communicates. We do not currently take action in response to those signals. If an industry standard on responding to such signals is established and accepted, we may reassess how to respond to those signals.

         

          1. Children’s Information: The Company’s website and services are intended to be used by adults and corporate entities interested in AECOM. They are not intended for children, and AECOM does not knowingly collect or store “Personal Data” about children under 13.

         

        1. Third Party Links: The AECOM website may contain links to other websites or third-party applications such as Facebook, Twitter, LinkedIn, or YouTube. AECOM is not responsible for the privacy practices or the content of these other websites or applications, and we advise you to refer to the policy statements of these third parties to understand how they collect and use information.
    2. Job Applicants/Candidates

      1. Subject to applicable law, AECOM collects “Personal Data” from you in connection with your resume and the application you submit to us when applying for a job. We use your information to evaluate your skills and abilities for job opportunities, verify your information, carry out reference checks and/or background checks (where applicable), communicate with you about the recruitment process, recommend potential career opportunities at AECOM, creating and/or submitting reports as required under applicable laws/regulations, and making improvements to AECOM’s application or recruitment process.

      2. The “Personal Data” we collect may include:

        1. Identification Data – such as full name, preferred name, business address, home address, email address, telephone number, photograph, work, and personal references and contact details, beneficiary and emergency contacts, and other similar contact data.

        2. National identifiers and work eligibility information – national identification number, social security number, social insurance number, government identification number, country, region, and city of birth, nationality, citizenship status, visa status, residency, work permit status, and immigration information.

        3. Employment history and background check information – resume, Curriculum Vitae, work history, professional background, credit history, criminal records, and other information revealed during background screenings (where allowed by law).

        4. Education information – educational history, academic degrees, and qualifications, certifications, and skills.

        5. Electronic and voice communications data – record of our contacts with you, including interviews, and disposition (which may include CCTV footage captured within our offices), and business communications content and data, including IP address and session identification through all applicable communication channels, including email, text, instant message or chat, transcriptions and/or telephone communications, voice recordings, and video recordings.

        6. Sensitive “Personal Data” – This includes information requiring special handling related to racial and ethnic origin, religious beliefs, trade union membership, and health and medical information, including disability status, where we have obtained your consent, or the collection of such data is allowed by applicable law.

        7. Demographic Data* – such as gender, ethnicity, gender identity, transgender status, sexual orientation, and religion.

          * AECOM processes demographic data for a variety of reasons, and this will vary in our different jurisdictions. Our reasons for collecting this data are set forth below. Where the processing of demographic data is not required by law, we will ask for your express consent:

          1. To monitor and ensure diversity and equality of treatment and opportunity; and

          2. To provide work-related accommodations or adjustments; and

          3. Comply with applicable legislation.

        8. Other Data Examples of third-party sources include employment screening agencies, background check agencies, recruiting agencies, service providers, former employers and/or schools and educational institutions, publicly available information on websites or social media (e.g., when applying through LinkedIn, where relevant for recruitment purposes and allowed by applicable law), and others where they are legally allowed to share your “Personal Data” with us. For example, if you register to be contacted by prospective employers on another website, the website may provide your “Personal Data” to us.

    3. Contractors/Subcontractors

      1. AECOM collects “Personal Data” in connection with onboarding you as a contractor or subcontractor to perform our contract with you. We collect and use your “Personal Data” to evaluate your skills and experience, verify your data, to contact you for project opportunities and general business operations, conduct legal due diligence/anti- corruption screening, denied party checks, recording of work time, business continuity and incident response communications, administration of safety and protection of AECOM employees, resources, and workplaces, physical site access and security, accounting/government tax and auditing business purposes, administer quality, safety and compliance checks and reviews to qualify third party contractors for performing work in accordance with applicable quality standards such as ISO 9001 and NQA-1; including use of individuals who are required to maintain specific qualifications or certifications, administration of safety and protection of AECOM systems for recording and monitoring network activity for the purpose of identifying, predicting, and preventing the entry of malicious activity onto or the release of information from the AECOM network and computing resources, and to manage AECOM business and project-related operations.

      2. The “Personal Data” we collect includes:

        1. Identification Data – such as full name, preferred name, business address, home address, email address telephone number, username/password, date of birth, nationality, citizenship status, country of birth, photo/image, and biometric data (i.e., fingerprint scan) where applicable.

        2. Emergency Contacts – such as full name, and telephone number.

        3. Employment and Professional – such as job title/position, prior work or project experience, reference contacts, CV/resume, academic/professional qualifications, skills, work-related licenses, education, references, military status, work permits, training reports.

        4. Government Issued Data – Social security number, federal tax identification number, national identification number, driver’s license number, passport number.

        5. Financial/Insurance Data – bank name and routing and account number, insurance policy information.

        6. Medical/Health – such as medical certificates, work site incident and accident reports,

        7. Electronic and voice communications data – record of our contacts with you, including interviews, and disposition (which may include CCTV footage captured within our offices), and business communications content and data, including IP address and session identification through all applicable communication channels, including email, text, instant message or chat, transcriptions and/or telephone communications, voice recordings, and video recordings.

        8. Other Data – We may also collect “Personal Data” about you from third parties or public sources as needed to support the business relationship or to engage with you concerning projects at AECOM. For example, before and during the business engagement, we may collect information from public sources and professional networking sources, such as MK Denial, your LinkedIn profile, ZoomInfo, etc. We also may conduct lawful background screenings, to the extent permitted by law, through a third-party vendor for information about your company information, personal credit, and/or criminal history.

        9. Demographic Data* –such as gender, ethnicity, gender identity, transgender status, sexual orientation, and religion.

          • AECOM processes demographic data for a variety of reasons, and this will vary in our different jurisdictions. Our reasons for collecting this data include:

            1. To monitor and ensure diversity and equality of treatment and opportunity; and

            2. To provide work-related accommodations or adjustments; and

            3. Comply with applicable legislation.

          • Where the processing of demographic data is not required by law, we will ask for your express consent.

    4. Client, Supplier, Joint Venture Staff

      1. As a business partner, AECOM collects “Personal Data” from you to manage existing and prospective clients, customers, suppliers, or other third-party relationships (e.g. in relation to the initiation, conclusion, or fulfillment of a contract); Communicate about products or services we offer or intend to offer, the improvement of our products or services, and the review of our business relationship; perform accounting, auditing, billing, and collection activities; meet legal obligations (e.g. financial and administrative obligations); and establish, enforce or defend against legal claims.

      2. The “Personal Data” we collect includes:

        1. Identification Data – such as full name, preferred name, business/mailing address, email address, and telephone number

        2. Electronic and voice communications data – a record of our contacts with you, including interviews, and disposition (which may include CCTV footage captured within our offices), and business communications content and data, including IP address and session identification through all applicable communication channels, including email, text, instant message or chat, transcriptions and/or telephone communications, voice recordings, and video recordings.

        3. Other Data– such as data on invoices, purchase orders, agreements, bids, proposals, and other related business records that may contain “Personal Data”.

        4. We may also collect “Personal Data” about you from third parties or public sources as needed to support the business relationship or to engage with you concerning projects at AECOM. For example, before and during the business engagement, we may collect information from public sources and professional networking sources, such as MK Denial, your LinkedIn profile, ZoomInfo, etc.

  3. Change of Purpose for Processing Your Personal Data

    1. AECOM will only use your “Personal Data” for the purposes for which it was originally collected unless the Company reasonably considers that the Company needs it for another purpose compatible with the original purpose and there is a legal basis for further Processing. For example, the Company may Process the “Personal Data” you provide to us while researching job openings in reliance on AECOM’s legitimate interests in recruitment for roles, but once you apply for a specific role and are hired into that new role, the Company may need to Process your “Personal Data” to enter an employment contract with you.

    2. However, if “Personal Data” covered by this Notice is to be used for a new purpose that is materially different from that for which the “Personal Data” was originally collected or subsequently authorized or is to be disclosed to a non-agent third party, AECOM will provide you with an opportunity to choose whether to have your “Personal Data” so used or disclosed. Requests to opt-out of such uses or disclosures of “Personal Data” should be sent to: privacyquestions@xgcr.net.

  4. How Your Data is Collected

    We use different methods to collect data from and about you:

      1. Direct Interactions: You give us your “Personal Data” when contacting us through web forms, candidate profiles, interviews, or in response to surveys, jobs, projects, bids, quality and compliance questionnaires, proposals, or other means. This includes information you provide when you submit your CV/resume or contact details through our website, email, and our alumni or talent networks.

     

      1. Third Parties or Publicly Available Sources: Subject to applicable law, AECOM may obtain information about you from a representative of your company (if we are sub-contracting services), publicly available online records (e.g., LinkedIn, ZoomInfo), denied party screening, background check providers, criminal records check, or past or current professional references you supply to us.

     

    1. Combining “Personal Data” from Different Sources: We may combine the “Personal Data” we receive from various sources with “Personal Data” we collect from you and use it as described in this Notice.
  5. Legal Basis for Processing Your Data

    1. If applicable law requires a lawful basis for processing, our lawful basis for collecting and using the “Personal Data” described in this Notice will depend on the type of “Personal Data” concerned and the specific context in which we collect or use it. Depending on the jurisdiction in which you live, there may be other applicable lawful bases for processing your “Personal Data” that are not listed here.

    2. We normally collect or use “Personal Data” from you or others where the processing is necessary because of our contractual obligations with you or is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (e.g., to communicate with you, to evaluate you or your company’s employment or work history, to manage our business relationship with you and manage our processes efficiently and fairly), or where applicable, where we have obtained your consent to process for a specific purpose. In certain situations, we may have a legal obligation to collect or retain “Personal Data” (e.g., to comply with applicable employment and works council laws and regulations) or need the “Personal Data” to protect your vital interests or those of another person.

    3. When we process Sensitive “Personal Data” about you, we will make sure that one or more of the lawful bases for processing Sensitive “Personal Data”, as referenced above, applies. For instance, these include processing which is necessary for the purpose of satisfying our obligations in relation to employment law, processing related to data about you that you have made public (e.g., if you tell us that you are ill) and processing which is necessary for the purpose of establishing, making, or defending legal claims.

    4. AECOM adheres to the following guidelines to ensure that its collection of “Personal Data” is fair and lawful. Specifically, AECOM:

      1. Collects only as much “Personal Data” as is required by law or needed for reasonable and legitimate business purposes.

      2. Collects “Personal Data” in a non-deceptive manner.

      3. Where appropriate, inform individuals which “Personal Data” is required, and which is optional at the time of collection.

      4. Collects “Personal Data” from individuals consistent with local legal requirements.

  6. Retention of Your Personal Data

    1. Your “Personal Data” will be retained only for as long as required to achieve the purposes for which it was collected, in line with this Notice, and will be securely destroyed when no longer required. For example, if you are offered and accept a job at AECOM, we retain certain information in your personnel file; if you are not offered or do not accept the job for which you have applied, we will keep your resume on file for future opportunities unless you opt out. However, we may delete your data after 6 months in certain countries, unless you authorize us to retain your information for longer with respect to potential future job opportunities.

    2. The following criteria are what determine the period for which the Company will keep your Personal Data:

      1. When it is no longer required to be retained to comply with regulatory requirements or financial obligations.

      2. Until we are no longer required to do so by any law, we are subject to.

      3. Until all purposes for which the data was originally gathered have become irrelevant or obsolete.

      4. Until the goods and/or services we have provided are no longer in active use.

    3. Job candidate “Personal Data” may be processed and retained for immigration requirements as part of the rehire process, including the sharing of that data with legal advisers and government bodies. The length of time data may be stored will be based on laws relating to these requirements.

  7. Your Data Privacy Rights

    1. Where permitted or required by applicable law, AECOM extends certain data privacy rights to you.

    2. Note that we may be unable to provide you access to your “Personal Data” in instances where we have destroyed, erased, or anonymized the data, if we are unable to verify your identity using information we have on file for you, or if it would reveal “Personal Data” about another person. We may also refuse any request if applicable law allows or requires us to do so. We will inform you of the reasons for refusal.

    3. If you choose to contact us to submit a request, you will need to provide us with:

      1. Enough information to identify you [(e.g., your full name, address, birth date, or other identifier)]

      2. A description of what right you want to exercise and the information to which your request relates.

    4. We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information, or if someone authorized to act on such person’s behalf.

    5. Any “Personal Data” we collect from you to verify your identity in connection with your request will be used solely for the purposes of verification. You may authorize an agent to make a request to us on your behalf and we will verify the identity of your agent or authorized legal representative by either seeking confirmation from you or documents that establish the agent’s authorization to act on your behalf.

      1. The right to request access. You have the right to request AECOM for copies of your Personal Data.

      2. The right to request rectification. AECOM relies on you to ensure the information you provide to AECOM about you is accurate, complete, and current. If any “Personal Data” is inaccurate or incomplete, you may request that your “Personal Data” be corrected or completed. AECOM will correct or delete “Personal Data” as required by applicable law. You may also request to correct, amend, or delete “Personal Data” that has been processed in violation of applicable data protection law.

      3. The right to request erasure. You have the right to request AECOM delete your “Personal Data” under certain conditions.

      4. The right to withdraw consent. Where you have provided written consent (or positive opt-in) to the collection, processing, or transfer of Personal Data, you may have the legal right to withdraw consent. Where we have processed your “Personal Data” with written consent (or positive opt-in), you can withdraw that consent at any time. Note – withdrawing consent will not affect the lawfulness of any processing the Company conducted prior to withdrawal, nor will it affect the processing of the “Personal Data” conducted in reliance on a lawful basis other than consent.

      5. The right to request portability. You have the right to request AECOM transfer your “Personal Data” that we have collected from you to another organization, or directly to you, under certain conditions.

      6. The right to restrict processing. You have the right to request that AECOM restrict the processing of your Personal Data, under certain conditions.

      7. The right to opt-out of email marketing. You can opt-out of email marketing communications at any time by selecting the email’s “Opt-out” or “Unsubscribe” link or following the instructions in each email subscription communication.

      8. Results of automated decision making. You have the right to request AECOM to conduct a review of automated decision-making that impacts you.

      9. The right to file a complaint. If you consider that your privacy rights have not been adequately addressed, you have the right to submit a complaint to the AECOM Privacy Office or with the supervisory authority in your country of residence.

    6. You can submit a request to exercise these data privacy rights to the AECOM Privacy Office at privacyquestions@xgcr.net. You may also call 888.299.9602. AECOM will request specific information to help confirm identity and rights.

    7. AECOM will not discriminate against individuals for exercising any of their privacy rights allowed or required by applicable data protection law or regulation.

  8. Sharing and Onward Transfer

    AECOM shares “Personal Data” in the following ways:

      1. AECOM Staff: AECOM shares “Personal Data” among staff having a legitimate business need to know based on their respective role with the Company.

     

      1. Subsidiaries and Affiliates: AECOM shares information among AECOM subsidiaries and affiliates for the purposes described in this Privacy Notice, where consistent with applicable legal requirements.

     

      1. Service Providers: AECOM shares “Personal Data” to selected affiliated or trusted service providers to perform services on behalf of the organization. These trusted service providers include, but are not limited to Information Technology Providers, Cloud Providers, Data Hosting Services, Denied and Restricted Party Screening Providers, Background Check Providers, and Data Storage Providers.

     

    1. Clients: AECOM shares certain “Personal Data” as part of our professional services under contract to our clients, including governmental agencies, for project-related work, security clearances or as required by security protocols.
    2. Other Third Parties: AECOM discloses certain “Personal Data” to other third parties:
      1. where required by law or legal process (e.g., to tax and social security authorities)

      2. where AECOM determines it is lawful and appropriate

      3. to protect AECOM’s legal rights (e.g., to defend a litigation suit or under a government investigation or inquiry) or to protect its employees, resources, and workplaces; or

      4. in an emergency where health or security is at stake.

    3. Public Security/Law Enforcement: AECOM may be required to disclose “Personal Data” in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

    AECOM is a global company, with offices, Clients, and Suppliers located throughout the world. As a result, “Personal Data” may be transferred to other AECOM offices, data centers, and servers in Europe, Asia, South America, or the United States for the purposes identified. Any such transfer of “Personal Data” shall take place only under applicable law through legally valid methods, including international data transfer agreements or Standard Contractual Clauses that have been recognized by Data Protection Authorities as providing an adequate level of protection to the “Personal Data” we process globally.

    AECOM will take steps designed to comply with all applicable local laws when Processing Personal Data, including any local law conditions for and restrictions on the transfer of Personal Data.

    AECOM will ensure all transfers of “Personal Data” are subject to appropriate safeguards as defined by data protection laws and regulations.

  9. Data Security

    AECOM has adopted and maintains reasonable and appropriate information security policies, processes and/or procedures to safeguard “Personal Data” from loss, misuse, unauthorized access, disclosure, alteration, destruction, and other Processing. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. As such, we cannot promise, ensure, or warrant the security of any “Personal Data” that you may provide to us.

    AECOM’s information security processes provide for the classification of information and the assignment of protection requirements and information security controls based on the classification of information. The safeguards used to protect “Personal Data” is commensurate with the level of risk involved.

  10. Additional information for California Residents

    1. AECOM does not sell “Personal Data” as part of its business practices. In compliance with Cal. Civ. Code § 1798.130(a)(5)(C)(i), the Company reaffirms that it has not sold your “Personal Data” in the preceding 12 months.

    2. In compliance with Cal. Civ. Code §1798.130(a)(5)(C)(ii) AECOM has shared the following “Personal Data” for a business purpose in the preceding 12 months:

      1. Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers).

      2. Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, the individual’s name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license number, or state identification number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

      3. Characteristics of protected classifications under California or federal law.

      4. Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding an individuals interaction with an Internet Web site, application, or advertisement).

      5. Audio, electronic, visual, thermal, olfactory, or similar information.

      6. Professional or employment-related information.

      7. Inferences drawn from any of the information identified above to create a profile about an individual reflecting the individuals preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

    3. You have the right to know:

      1. The categories of “Personal Data” the Company has collected about you.

      2. The categories of sources from which the “Personal Data” is collected about you.

      3. AECOM’s business or commercial purpose for collecting or sharing “Personal Data” about you.

      4. The categories of third parties with whom the Company shares “Personal Data” about you.

      5. The categories of “Personal Data” that the Company has disclosed about you for a business purpose.

      6. The specific pieces of “Personal Data” the Company have collected about you.

    4. Please note that the Company is not required to:

       

      1. Retain any “Personal Data” about you if, in the ordinary course of business, that information about you is not retained.

      2. Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Data; or

      3. Provide the “Personal Data” to you more than twice in a 12-month period.

  11. Exceptions

    Under certain limited or exceptional circumstances, AECOM may, as permitted or required by applicable laws and regulations, process “Personal Data” without providing notice, access or seeking consent. Examples of such circumstances may include investigation of specific allegations of wrongdoing, violation of company policy or criminal activity; protecting employees, the public, or AECOM from harm or wrongdoing; cooperating with law enforcement agencies; auditing financial results or compliance activities; responding to court orders, subpoenas or other legally required disclosures; meeting legal or insurance requirements or defending legal claims or interests; satisfying labor laws or agreements or other legal obligations; collecting debts; protecting AECOM’s information assets, intellectual property and trade secrets; in emergency situations, when vital interests of the individual, such as life or health, are at stake; with respect to access requests, where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or the privacy interests of others would be jeopardized; and in cases of business necessity.

  12. Other Important Information

    1. Privacy laws and guidelines are part of a constantly changing environment. AECOM reserves the right, at its discretion, to modify, add, or remove portions of this Privacy Notice or any supplemental privacy notice at any time. Any material change to this Privacy Notice will be available on the website. When the Company makes material changes, the Company will also update Section 15 – Change Log.

    2. AECOM commits to cooperate with European Union data protection authorities (DPAs) and comply with the advice given by such authorities regarding human resources data transferred from the European Union in the context of the employment relationship.

    3. If you are in Australia, Brazil, the European Union, the European Economic Area, Switzerland, or the United Kingdom, the data controller of your “Personal Data” will be the AECOM entity that signs a contract with you or for which you submit your CV/resume in response to a job opportunity.

    4. If you consider that your rights have not been adequately addressed, you have the right to submit a complaint with the supervisory authority in your country of residence, place of work, or the country in which an alleged infringement of data protection law has occurred.

  13. Contacting AECOM Privacy Office

    1. Any questions regarding this Notice or general privacy-related questions or concerns related to your “Personal Data” should be addressed to the AECOM Privacy Office at: privacyquestions@xgcr.net.

    2. For Germany inquiries, you may use the following email address: datenschutz@xgcr.net.

  14. Terms and Definitions

    a.

    Data Privacy

    means the legal rights and expectations of individuals to control how their “Personal

    Data” is collected and used.

    b.

    Personal Data

    means any information relating to describing, reasonably capable of being associated with, or capable of reasonably being linked, directly or indirectly, to an identified or identifiable natural person.

    c.

    Processing

    means any operation or set of operations that is performed upon Personal Data.

    d.

    Sensitive Personal Data

    has definitions that vary from country to country. For example, European data protection laws treat certain categories of “Personal Data” as especially sensitive, e.g., biometric, information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying medical or health conditions, or sex life.

    In the United States, sensitive information may include, but is not limited to, Social Security numbers, bank account numbers, passport information, healthcare related information, medical insurance information, credit and debit card numbers, drivers’ license and state ID information, information from children under the age of 13, biometric information, genetic data, precise geo-location, and information about racial or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation or union

    membership.

  15. Change Log

Rev #

Change Date

Description of Change

Location of Change

0

12-Feb-2020

Initial release as L1-007-PL5

 

1

14-Aug-2020

  • Section 6, subsection i – the inclusion of a chart that outlines specific rights for California residents.

  • Section 6, subsection i – the inclusion of the Ethics hotline as a secondary method for California residents to submit privacy rights requests.

  • Section1, updated to include applicability to job applicants and sub-consultants.

  • Section 2, inclusion of a table representing examples of “Personal Data” collected to comply with transparency requirements under GDPR, CCPA and other data protection laws.

  • Section 12 – updated definitions for “Personal Data” and Sensitive “Personal Data” to comply with CCPA.

  • Section 7 – removed reference to Privacy Shield principles as a mechanism to transfer “Personal Data” from the European Union.

  • Section 7 – inclusion of the use of European Union Standard Contract Clauses and data protection agreements as a mechanism for transfer of “Personal Data” from the European Union.

  • Removed section 8 – reference EU-US Privacy Shield.

 

2

26-Aug-2020

  • Removed references to Privacy Shield in sections 4, 6, and 9

 

3

20-Jan-2023

  • Section 1 –updated entire section to clarify terms and requirements.

  • Section 2.1 – added new section 2.1 for public website data collection.

  • Section 2.2 – added new section 2.2 for collection and processing of candidate data.

  • Section 2.3 – added new section 2.3 for collection and processing of contractor and subcontractor data.

  • Section 2.4 – added new section 2.4 for collection and processing of client and vendor data.

  • Section 3 – added new section 3 for change of purpose of processing data.

  • Section 5 – Updated section 5 for lawful basis of processing data.

  • Section 6 – made updates to use and retention of data.

  • Section 7 – added right of human intervention for automated decision-making results.

  • Section 8 – made updates for sharing and onward transfer of data.

  • Section 10 – added new section 10 for California residents.

  • Section 13 – updated section to reflect email contact for Germany operations.

 

4

22- Sept-2023

  • Section 1 to Section 8 – made minor updates throughout