1.0 Purpose

In the regular course of business, AECOM acquires Personal Information by interaction and communication with current, former and prospective employees, clients and other third parties. AECOM takes seriously its obligations to protect such Personal Information. As evidence of its commitment to privacy, AECOM’s management has established this Global Privacy Statement (the “Statement”) to articulate the privacy and data protection principles that guide AECOM’s practices around the world.

This Statement reflects consideration of the principles of various privacy frameworks, including the Organization for Economic Cooperation and Development (“OECD”) Fair Information Practices Principles (“FIPPs”) and the American Institute of CPAs (“AICPA”) Generally Accepted Privacy Principles (“GAPP”).

This Statement and related AECOM policies are designed to accomplish the following specific objectives:

  • Increase awareness of regulatory, legal, and corporate requirements for handling and protecting Personal Information
  • Set forth minimum guidelines for the collection, use, sharing, protection, and other Processing of Personal Information
  • Enable AECOM to meet business, legal, and regulatory responsibilities relating to Personal Information

Under no circumstances does this Statement create any legal rights for any employee or any third party, nor is it a contract.

2.0 Scope and Applicability

This Statement applies to all AECOM businesses, functions, regions, and subsidiary companies (referred to collectively in this Statement as “AECOM”).

This Statement establishes minimum worldwide guidelines for AECOM for collecting, using, sharing, protecting, and otherwise Processing Personal Information. It applies to any Personal Information that is collected, stored, transferred, or otherwise Processed, whether in electronic or paper form, by or on behalf of AECOM. This includes Personal Information that pertains to AECOM’s customers, vendors, contractors, or other third-parties.

All Personal Information must be handled and protected according to the requirements set forth in this Statement, subject to the circumstances described under the Exceptions (Section D.12) of this Statement. Additional policies and specific practices may be tailored to meet the legal, regulatory, and cultural requirements of the countries and regions where AECOM operates (e.g., through geography-specific data privacy policies).

3.0 Definitions

AECOM uses the following definitions:

  • Data Privacy” means the legal rights and expectations of individuals to control how their Personal Information is collected and used.
  • Personal Information” means any information relating to an identified or identifiable natural person. For purposes of the AECOM Information Classification Standards and Controls, most Personal Information shall be deemed Highly Restricted Information.
  • Processing” means any operation or set of operations that is performed upon Personal Information.
  • Sensitive Personal Information” has definitions that vary from country to country. For example, European data protection laws treat certain categories of Personal Information as especially sensitive, e.g., information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying medical or health conditions, or sex life. For specific information on what constitutes Sensitive Personal Information in a particular country, please refer to the applicable geography data privacy policy or contact the appropriate individual for your geography as set forth in Section 11.

4.0 Statement

4.1 Global Fundamentals

The principles that guide AECOM’s practices for handling Personal Information include notice, choice and consent, collection and classification, use and retention, data access, disclosure and onward transfer, data security, and data integrity and data quality.

It is AECOM’s policy to abide by the privacy and data protection laws in the countries in which we do business.

4.2 Notice

Where required, AECOM provides individuals appropriate notice about the purposes for which it collects, stores, discloses, and/or otherwise Processes Personal Information about them. Depending upon applicable legal requirements, notice to individuals may include some or all of the following information:

  • AECOM’s participation in privacy frameworks, such as the EU-U.S. Privacy Shield (“Privacy Shield”), and its commitment to subject to the Privacy Shield Principles all Personal Information received from the EU in reliance on the Privacy Shield;
  • The type of Personal Information that is collected;
  • The purpose(s) for which the Personal Information is collected;
  • If there is a legal requirement to collect the Personal Information, a statement of this fact;
  • How the Personal Information will be used or processed;
  • If the Personal Information will be collected by or disclosed to third parties, a statement of this fact, the types or identities of third party recipients, and the purpose(s) for doing so;
  • If applicable, how individuals can access their Personal Information and correct or delete it if it is inaccurate or processed in violation of the Privacy Shield;
  • The choices and means AECOM offers individuals to limit the use and disclosure of their Personal Information;
  • If applicable, information appropriate with respect to cross-border data transfers;
  • If applicable, any relevant establishment in the EU that can respond to inquiries or complaints under the Privacy Shield;
  • How to contact AECOM with questions, corrections, complaints, and disputes;
  • The independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge under the Privacy Shield.
  • That individuals may be able to invoke binding arbitration in certain circumstances under the Privacy Shield.
  • That AECOM is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
  • That AECOM may be liable for violations under the Privacy Shield if AECOM transfers Personal Information to certain third parties.
  • That AECOM is required to disclose Personal Information in response to lawful requests from public authorities, including to meet national security or law enforcement requirements.

Where feasible, AECOM provides notice to an individual at or before the time of the collection of Personal Information or as soon thereafter as is practicable, but in any event before AECOM uses the Personal Information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

4.3 Choice and Consent

AECOM obtains consent from or provides other choices to individuals regarding the Processing of their Personal Information when required by applicable law. AECOM also appropriately communicates any choices available to individuals with respect to AECOM’s sharing of their Personal Information with third parties or access to their Personal Information by third parties.

Specifically, when consent or choice is required or otherwise determined to be appropriate, AECOM:

  • Requests the consent of the individual using a type of consent (opt-out or opt-in, implicit or explicit) or other choice mechanism that is appropriate in light of applicable requirements. In some jurisdictions, there may be local legal requirements relating to consent or choice that apply to a category(ies) of Sensitive Personal Information. With respect to data transferred from the EU in reliance on the Privacy Shield, AECOM obtains opt-in consent before disclosing Sensitive Personal Information to a third party or using it for a purpose other than those for which it was originally collected or subsequently authorized by the individual via opt-in consent.
  • As appropriate, informs individuals of the consequences for failing to consent or to provide their information.
  • As appropriate, informs individuals regarding how they can change their consent decisions or choices.
  • Processes an individual’s Personal Information in a manner that is consistent with consent or other choices exercised by the individual.

Consent should be obtained in accordance with local country laws and regulations. Additional safeguards may be required depending on jurisdiction and the type of information at issue.

4.4 Collection and Classification

AECOM follows the following guidelines to ensure that its collection of Personal Information is fair and lawful. Specifically, AECOM:

  • Collects only as much Personal Information as is required by law or needed for reasonable business purposes.
  • Collects Personal Information in a non-deceptive manner.
  • Where appropriate, informs individuals which Personal Information is required and which is optional at the time of collection.
  • Collects Personal Information from individuals consistent with local legal requirements.

4.5 Use and Retention

AECOM uses, stores, retains and otherwise Processes Personal Information only for reasonable business purposes or as authorized by the individual, and such Processing should comply with contractual, regulatory, and local legal requirements.

Personal Information should be retained and destroyed in accordance with applicable AECOM data retention policies and procedures, and should only be retained for as long as it serves a purpose of processing for which it was collected or subsequently authorized.

4.6 Data Access

Where required by applicable law or otherwise appropriate, AECOM provides individuals with appropriate access to the Personal Information about them that is maintained by AECOM and the ability to correct the data, as applicable. Further to this, AECOM will:

  • Respond to requests for access to Personal Information made through appropriate channels in a timely manner.
  • Authenticate individuals requesting access before allowing access to or providing Personal Information.
  • If applicable, provide a reason to the individual for denying access, with a point of contact for further inquiry.
  • For Personal Information collected or transferred in reliance on the Privacy Shield, AECOM will allow individuals to correct, amend, or delete information about them that is inaccurate or processed in violation of the Privacy Shield Principles unless the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the rights of other people would be violated.

4.7 Disclosure and Onward Transfer

AECOM may share an individual’s Personal Information with third parties as required for reasonable business purposes, including providing services and products to clients and administration of employee benefits and provision of other services to employees, and otherwise in accordance with applicable legal requirements.

With respect to third parties that Process Personal Information on behalf of AECOM, AECOM will seek to put in place appropriate controls to ensure that such third parties afford the applicable Personal Information an appropriate level of protection.
As a global company operating in many locations around the world, AECOM may use data centers and other data processors located outside of the country where the data is collected to store Personal Information. AECOM will abide by any local laws applicable to collection and transfer of Personal Information.

For Personal Information collected or transferred in reliance on the Privacy Shield, AECOM will abide by the requirements of the Accountability for Onward Transfer Principle, including contracts with third-party data controller recipients that adhere to Privacy Shield requirements.

4.8 Data Security

AECOM has adopted and maintains reasonable and appropriate information security policies, processes and/or procedures to safeguard Personal Information from loss, misuse, unauthorized access, disclosure, alteration, destruction, and other Processing.

AECOM’s information security processes provide for the classification of information and the assignment of protection requirements and information security controls based on the classification of information. The safeguards used to protection Personal Information should be commensurate with the type of Personal Information being Processed and the risks involved.

4.9 Data Integrity and Data Quality

Consistent with the goal of protecting the accuracy, completeness and relevance of Personal Information that it maintains, AECOM collects Personal Information directly from the applicable individual or will seek to put in place measures to verify that Personal Information collected from third parties is reliable and legally obtained. AECOM takes other steps that may be appropriate to comply with applicable legal obligations that relate to the accuracy, completeness, and relevance of Personal Information it maintains.

4.10 EU-U.S. Privacy Shield

AECOM complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union to the United States. AECOM has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.

AECOM’s participation in the Privacy Shield applies to all Personal Information that is transferred from the European Union and European Economic Area and Switzerland to the United States. AECOM will comply with the Privacy Shield Principles in respect of such Personal Information.

AECOM’s accountability for Personal Information that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, AECOM remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to Process the Personal Information on its behalf do so in a manner inconsistent with the Privacy Shield Principles, unless AECOM proves that it is not responsible for the event giving rise to the damage. AECOM may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have a Privacy Shield-related (or general privacy-related) question, we encourage you to contact us at privacyquestions@aecom.com. AECOM has designed JAMS, an alternative dispute resolution provider, to address complaints and provide appropriate recourse free of charge to individuals with respect to the Privacy Shield. Individuals may contact JAMS at https://www.jamsadr.com/eu-us-privacy-shield.  As explained in the Privacy Shield Principles, a binding arbitration option will be made available to you in order to address residual complaints not resolved by any other means.  AECOM is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

4.11 Local Standards

AECOM complies with applicable privacy and data protection laws in the locations in which AECOM operates.

In some countries, local laws or regulations may provide stricter requirements than set forth in this Statement. AECOM adopts country-specific privacy policies where it does business reflecting the principles and requirements of this Statement to the extent possible.

4.12 Exceptions

Under certain limited or exceptional circumstances, AECOM may, as permitted or required by applicable laws and regulations or the Privacy Shield if applicable, process Personal Information without providing notice, access or seeking consent. Examples of such circumstances may include investigation of specific allegations of wrongdoing, violation of company policy or criminal activity; protecting employees, the public, or AECOM from harm or wrongdoing; cooperating with law enforcement agencies; auditing financial results or compliance activities; responding to court orders, subpoenas or other legally required disclosures; meeting legal or insurance requirements or defending legal claims or interests; satisfying labor laws or agreements or other legal obligations; collecting debts; protecting AECOM’s information assets, intellectual property and trade secrets; in emergency situations, when vital interests of the individual, such as life or health, are at stake; with respect to access requests, where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or the privacy interests of others would be jeopardized; and in cases of business necessity.

5.0 Complaints and Questions

AECOM addresses complaints regarding the Processing of Personal Information.

In those countries in which there is an AECOM data privacy officer, that person is the primary point of contact for complaints or questions relating to the processing of Personal Information.

In those countries in which there is no AECOM data privacy officer, complaints or questions relating to the processing of potential, current, and former employee Personal Information should be directed to the local human resources representative or Information Technology. All other questions about the processing of Personal Information should be directed to Information Technology.