Revision 3 January 20, 2023

  1. Purpose and Scope

    AECOM takes your privacy seriously. Please read this privacy
    notice(“Notice”) carefully as it contains essential information on how and
    why AECOM and its subsidiaries and affiliates (collectively, “AECOM” or
    the “Company”) Processes your Personal Data. This Notice also explains
    your rights concerning your Personal Data and how to contact Company
    representatives or supervisory authorities in case you have a complaint.

    Within the context of this Notice, “Personal Data” means any information
    relating to an individual who can be identified, directly or indirectly,
    by reference to an identifier such as a name, an identification number,
    location data, an online identifier or to one or more factors specific to
    the physical, physiological, genetic, mental, economic, cultural, or
    social identity of that individual.

    Personal Data does not cover aggregated data, data rendered anonymous, or
    data that has been de-identified. Aggregate data relates to a group or
    category of individuals from which individual identities have been
    removed. Data is rendered anonymous if individual persons are no longer
    identifiable. De-identified data is data that has had identifiable
    elements removed, and cannot reasonably identify, relate to, describe, be
    capable of being associated with, or be linked, directly or indirectly, to
    a particular individual.

    To “Process” Personal Data means any operation or set of operations
    performed upon Personal Data, whether by automatic means or otherwise.
    This includes the collection, recording, organization, storage, updating
    or modification, retrieval, consultation, use, disclosure by transmission,
    dissemination or making available in any other form, linking, alignment or
    combination, blocking, erasure, or destruction of Personal Data.

    The Company will only Process Personal Data according to this Notice
    unless otherwise required by applicable law. The Company takes steps to
    ensure the Personal Data collected is adequate, relevant, not excessive,
    processed for limited purposes, and stored for no longer than is
    reasonably necessary in furtherance of those purposes. The Company does
    not sell “Personal Data”, nor does it share it with third parties for
    cross-context, behavioural advertising.

    If you fail to provide certain Personal Data when requested, the Company
    may not be able to fully perform services as your Employer (such as paying
    you or providing certain employment-related benefits), or the Company
    could be prevented from complying with AECOM’s legal obligations (such as
    to ensure the health and safety of its workers).

    Where local laws are stricter than the policies described in this notice,
    AECOM has adopted specific privacy practices in those locations to satisfy
    those stricter requirements. AECOM will notify employees of such specific
    privacy practices and, in some cases, obtain consent where required by
    law. Where local laws are less strict than this policy, the protections
    described in this notice will apply.

    AECOM collects Personal Data directly from you – in person, by telephone,
    text or email, websites, and apps, or from third-party sources for various
    business purposes as described herein.

    When the text of this Notice or any supplemental notice is available in
    multiple languages, the English version is the authoritative version.

  2. Collection and Processing Data

    1. Public Website Data Collection

      1. Information We Collect Automatically

        Our servers automatically log information about your use of and
        visits to the Services, including through the use of cookies, Web
        beacons, and similar technologies to help personalize content and
        ads, and to analyze website traffic. For example, we may collect
        your IP address, the type of web browser and operating system used
        to access the Services, the time and duration of your visits, and
        information about the content and webpages you view and the
        features you access on the Services.

      2. Information from Third Parties

        We may receive additional information about you from other
        publicly and commercially available sources, as permitted law. We
        may combine all the information we collect or receive about you
        and use or disclose it in the manner described in this Notice.

        As you navigate AECOM’s public website, AECOM may collect
        information such as your Internet Protocol (IP) address, Web
        browser information and your actions while on the site. This
        information will be collected, if at all, using commonly used
        information-gathering tools, such as cookies and web beacons.
        Standing alone, this information does not directly identify you
        personally. You can configure the types of cookies that will be
        active while browsing with the consent manager accessible from the

      3. Information You Provide Directly

        When expressing interest in AECOM’s products or services or using
        our “Contact Us” or similar features, you may have the option to
        provide contact information such as your name, job title,
        organization name, address, e-mail address, phone number,
        comments, and interests.

        We use your information for the following purposes:

        1. To manage your relationship with AECOM and better serve you
          when you are using the Services by personalizing and improving
          your experience. We also may use such information to analyse
          how users use the Services and related analysis, research,
          reporting, and troubleshooting and as we believe is necessary
          or appropriate to protect, enforce, or defend legal rights,
          privacy, safety, or property, whether our own or that of our
          employees or agents or others, and to comply with applicable

        2. To provide the AECOM website and other services to you, to
          communicate with you about your use of our site and services,
          to diagnose technical problems, to respond to your inquiries,
          and for other customer service purposes.

        3. To tailor the content and information that we may send or
          display to you, to offer location customization, and
          personalized help and instructions, and to otherwise
          personalize your experiences while using the Public Website.

        4. To send you marketing information, product recommendations,
          and other non-transactional communications (e.g., marketing
          newsletters) about us, including information about our
          products and services, promotions, special offers, or events
          as necessary or to otherwise contact you about products or
          information we think may interest you. You can opt out of
          being contacted by us for marketing or promotional purposes by
          following the instructions in the marketing emails we send or
          by using the information in the Contact Us” section.
          Additional restrictions on AECOM being able to send you
          marketing information may apply depending on the jurisdiction.

      4. Third-Party Links

        The AECOM website may contain links to other websites or
        third-party applications such as Facebook, Twitter, LinkedIn, or
        YouTube. AECOM is not responsible for the privacy practices or the
        content of these other websites or applications, and we advise you
        to refer to the policy statements of these third parties to
        understand how they collect and use information.

        1. Cookies, Web Beacons, and Similar Technologies

          The Services — as well as certain third parties that provide
          content and other functionality on the Services — use a
          variety of technologies to learn more about how people use the
          Services and the Internet. This section provides more
          information about some of those technologies and how they

          1. Cookies:
            Cookies are small text files used to store information
            about users on the users’ own computer. Cookies may be
            used to recognize you as the same user across different
            visits to the website. Knowing how a user is using the
            Services through cookies enables us to tailor our
            content and Services to meet visitors’ needs more
            effectively. It also enables us to improve the quality
            of your visit by making sure that the Services are
            properly formatted for your computer and web browser.
            Some Internet browsers can be configured to warn you
            each time a cookie is being sent or to refuse cookies
            completely. Refer to your browser help menu for more
            information. You can also manage cookie tracking
            directly through the third-party service providers that
            we use.

          2. Google Analytics:
            You may prevent your data from being used by Google
            Analytics by downloading and installing the Google
            Analytics Opt-out Browser Add-on, available at Google’s ability to use and share information
            collected by Google Analytics about your visits to this
            Site is restricted by the Google Analytics Terms of
            Service, available at, and the Google Privacy Policy, available at To learn more about how Google collects and processes
            data in connection with Google Analytics, visit

          3. Hotjar:
            You can opt-out of tracking by Hotjar here: and can learn about Hotjar’s ability to use and share
            information through the Hotjar Terms & Conditions of
            Use, available at, and the Hotjar Privacy Policy, available at

          4. Wistia:
            Information collected by Wistia in connection with
            videos played on this website is covered by Wistia’s
            Privacy Policy, available at

          5. Other local storage:
            Local Shared Objects (also referred to as “Flash
            cookies”) and HTML5 local storage are similar to cookies
            in that they are stored on your computer and can be used
            to store certain information about your activities and
            preferences. These objects are stored in different parts
            of your computer from ordinary browser cookies, however.
            Many Internet browsers allow you to disable HTML5 local
            storage or delete information contained in HTML5 local
            storage using browser controls.

          6. Web Beacons:
            Web beacons can be embedded in web pages, videos, or
            emails, and can allow a web server to read certain types
            of information from your browser, check whether you have
            viewed a particular web page or email message, and
            determine, among other things, the time and date on
            which you viewed the Web beacon, the IP address of your
            computer, and the URL of the web page from which the Web
            beacon was viewed.

          7. Do Not Track Signal:
            Some web browsers may transmit “do-not-track” signals
            to the websites with which the user communicates. We do
            not currently take action in response to those signals.
            If an industry standard on responding to such signals is
            established and accepted, we may reassess how to respond
            to those signals.

          8. Children’s Information:
            The Company’s website and services is intended to be
            used by adults and corporate entities interested in
            AECOM. They are not intended for children, and AECOM
            does not knowingly collect or store personal information
            about children under the age of 13.

    2. Job Applicants/Candidates

      1. AECOM collects “Personal Data” from you in connection with your
        resume and the application you submit to us when applying for a
        job. We use your information to evaluate your skills and abilities
        for job opportunities, verify your information, carry out
        reference checks and/or background checks (where applicable),
        communicate with you about the recruitment process, recommend
        potential career opportunities at AECOM, creating and/or
        submitting reports as required under applicable laws/regulations,
        and making improvements to AECOM’s application or recruitment

      2. The Personal Data we collect may include:

        1. Identification Data
          – such as full name, preferred name, home address, email
          address, telephone number, and photo/image (if volunteered),
          citizenship status, nationality.

        2. Demographic Data
          – such as gender, ethnicity, disability status, gender
          identity, transgender status, sexual orientation, and

          AECOM processes demographic data for a variety of reasons, and
          this will vary in our different jurisdictions. Our reasons for
          processing this data include:

          1. To monitor and ensure diversity and equality of treatment
            and opportunity.

          2. To provide work-related accommodations or adjustments.

          3. To comply with applicable legislation.

        3. Employment and Professional
          – such as job title/position, hire/term/rehire dates,
          employer information, employment contacts, CV/resume,
          academic/professional qualifications, skills, work-related
          licenses, education, references, military status, work
          permits, current salary, desired salary.

        4. Other Data
          – We may also collect Personal Data about you from third
          parties or public sources to support the employment
          relationship or to engage with you concerning job
          opportunities at AECOM. For example, before and during your
          employment or assignment, we may collect information from
          public professional networking sources, such as your
          LinkedIn profile, for recruitment purposes. We also may
          conduct lawful background screenings, to the extent
          permitted by law, through a third-party vendor for
          information about your past education, employment, credit,
          and/or criminal history.

      3. If you are offered and accept employment with AECOM, the Personal
        Data collected during the job application and recruitment process
        may become part of your employment record.

      4. If you are not offered or accept employment AECOM will keep
        your CV/resume on file for future job openings. You may remove
        your CV/resume by logging into your profile or sending an email

    3. Contractors/Subcontractors

      1. AECOM collects “Personal Data” in connection with onboarding you
        as a contractor or subcontractor to perform our contract with you.
        We collect and use your “Personal Data” to evaluate your skills
        and experience, verify your data, to contact you for project
        opportunities and general business operations, conduct legal due
        diligence/anti- corruption screening, denied party checks,
        recording of work time, business continuity and incident response
        communications, administration of safety and protection of AECOM
        employees, resources, and workplaces, physical site access and
        security, accounting/government tax and auditing business
        purposes, administer quality, safety and compliance checks and
        reviews to qualify third party contractors for performing work in
        accordance with applicable quality standards such as ISO 9001 and
        NQA-1; including use of individuals who are required to maintain
        specific qualifications or certifications, administration of
        safety and protection of AECOM systems for recording and
        monitoring network activity for the purpose of identifying,
        predicting, and preventing the entry of malicious activity onto or
        the release of information from the AECOM network and computing
        resources, and to manage AECOM business and project-related

      2. The Personal Data we collect includes:

        1. Identification Data
          – such as full name, preferred name, business address, home
          address, email address telephone number, username/password,
          date of birth, nationality, citizenship status, country of
          birth, photo/image, and biometric data (i.e., fingerprint
          scan) where applicable.

        2. Emergency Contacts
          – such as full name, and telephone number.

        3. Employment and Professional
          – such as job title/position, prior work or project
          experience, reference contacts, CV/resume,
          academic/professional qualifications, skills, work-related
          licenses, education, references, military status, work
          permits, training reports,

        4. Demographic Data
          –such as gender, ethnicity, gender identity, transgender
          status, sexual orientation, and religion.

      3. AECOM processes demographic data for a variety of reasons, and
        this will vary in our different jurisdictions. Our reasons for
        collecting this data include:

        1. To monitor and ensure diversity and equality of treatment and
          opportunity; and

        2. To provide work-related accommodations or adjustments; and

        3. Comply with applicable legislation.

      4. Where the processing of demographic data is not required by law,
        we will ask for your express consent.

        1. Government Issued Data
          – Social security number, federal tax identification
          number, national identification number, driver’s license
          number, passport number.

        2. Financial/Insurance Data
          – bank name and routing and account number, insurance
          policy information.

        3. Medical/Health
          – such as medical certificates, work site incident and
          accident reports,

        4. Other Data
          – We may also collect Personal Data about you from third
          parties or public sources as needed to support the business
          relationship or to engage with you concerning projects at
          AECOM. For example, before and during the business
          engagement, we may collect information from public sources
          and professional networking sources, such as MK Denial, your
          LinkedIn profile, etc. We also may conduct lawful background
          screenings, to the extent permitted by law, through a
          third-party vendor for information about your company
          information, personal credit, and/or criminal history.

    4. Client, Supplier, Joint Venture Staff

      1. As a business partner, AECOM collects Personal Data from you to
        manage existing and prospective clients, customers, suppliers, or
        other third-party relationships (e.g. in relation to the
        initiation, conclusion, or fulfillment of a contract); Communicate
        about products or services we offer or intend to offer, the
        improvement of our products or services, and the review of our
        business relationship; perform accounting, auditing, billing, and
        collection activities; meet legal obligations (e.g. financial and
        administrative obligations); and establish, enforce or defend
        against legal claims.

      2. The Personal Data we collect includes:

        1. Identification Data
          – such as full name, preferred name, business address,
          email address, and telephone number

        2. Other Data– such as data on invoices, purchase orders, agreements,
          bids, proposals, and other related business records

  3. Change of Purpose for Processing Personal Data

    1. AECOM will only use your Personal Data for the purposes for which it
      was originally collected unless the Company reasonably considers that
      the Company needs it for another purpose compatible with the original
      purpose and there is a legal basis for further Processing. For
      example, the Company may Process the Personal Data you provide to us
      while researching job openings in reliance on AECOM’s legitimate
      interests in recruitment for roles, but once you apply for a specific
      role and are hired into that new role, the Company may need to Process
      your Personal Data in order to enter into an employment contract with

    2. However, if Personal Data covered by this Notice is to be used for
      a new purpose that is materially different from that for which the
      Personal Data was originally collected or subsequently authorized or
      is to be disclosed to a non-agent third party, AECOM will provide
      you with an opportunity to choose whether to have your Personal Data
      so used or disclosed. Requests to opt-out of such uses or
      disclosures of Personal Data should be sent to:

  4. How Data is Collected

    We use different methods to collect data from and about you:

    1. Direct Interactions: You give us your Personal Data when contacting us through
      candidate profiles, through interviews, or in response to surveys,
      jobs, projects, bids, through quality and compliance questionnaires,
      proposals, or other means. This includes information you provide
      when you submit your CV/resume or contact details through our
      website, email, and our alumni or talent networks.

    2. Third Parties or Publicly Available Sources: AECOM may obtain information about you from a representative of
      your company (if we are sub-contracting services), publicly
      available online records, background check providers, criminal
      records check, or past or current professional references you supply
      to us. The organization will seek information from third parties
      only once a job offer, or business opportunity has been made and
      will inform you or your company representative that it is doing

    We do not undertake automated decision making or profiling on Personal
    Data or Sensitive Personal Data.

  5. Legal Basis for Processing

    1. Under data protection law, the Company can only collect and Process
      your Personal Data if there is a lawful or legitimate business reason
      for doing so, such as:

      1. To comply with legal and regulatory obligations.

      2. To meet any contractual obligations the Company may have to you.

      3. For AECOM’s legitimate interests or those of a third party (e.g.,
        business or commercial reasons that do not override your rights
        and interests under applicable data protection law).

      4. When the processing
        is necessary to respond to public health emergencies or protect
        the life, health, or property safety of a natural person under
        emergency circumstance.

      5. Where you have given your consent; or

      6. Other circumstances as required by laws or administrative

    2. AECOM adheres to the following guidelines to ensure that its
      collection of Personal Data is fair and lawful. Specifically, AECOM:

      1. Collects only as much Personal Data as is required by law or
        needed for reasonable and legitimate business purposes.

      2. Collects Personal Data in a non-deceptive manner.

      3. Where appropriate, informs individuals which Personal Data is
        required, and which is optional at the time of collection.

      4. Collects Personal Data from individuals consistent with local
        legal requirements.

    3. AECOM may need to collect Sensitive Personal Data. Where required
      under applicable local law, such Personal Data will be processed with
      consent. Where required by applicable local law, consent to transfers
      or uses of Sensitive Personal Data will be opt-in.

  6. Use and Retention

    1. AECOM uses, stores, retains, and otherwise processes Personal Data
      only for reasonable business purposes and for only as required for
      that business purpose or as authorized.

    2. AECOM does not disclose Personal Data to third parties for direct
      marketing purposes, nor does it sell Personal Data. AECOM does not
      share Personal Data for purposes of behavioural marketing. Processing
      of Personal Data will comply with contractual, regulatory, and local
      legal requirements.

    3. Your Personal Data will be retained only for as long as required to
      achieve the purposes for which it was collected, in line with this
      Notice and will be securely destroyed when no longer required.

    4. The following criteria are what determine the period for which the
      Company will keep your Personal Data:

      1. When it is no longer required to be retained to comply with
        regulatory requirements or financial obligations.

      2. Until we are no longer required to do so by any law we are subject

      3. Until all purposes for which the data was originally gathered have
        become irrelevant or obsolete.

      4. Until the goods and/or services we have provided are no longer in
        active use.

    5. You have the right to submit a request to delete your data in our
      systems. Please note that in some cases where there is a compelling
      legal reason why we are required to keep your data, we will take
      measures to delete unnecessary data and continue to store data
      subjected to the legal requirement.

    6. Job candidate Personal Data may be processed and retained for
      immigration requirements as part of the rehire process, including the
      sharing of that data with legal advisers and government bodies. The
      length of time data may be stored will be based on laws relating to
      these requirements.

  7. Data Privacy Rights

    1. Where permitted or required by applicable law, AECOM extends certain
      data privacy rights to you.

    2. Note that we may be unable to provide you access to your Personal Data
      in instances where we have destroyed, erased, or anonymized the data,
      if we are unable to verify your identity using information we have on
      file for you, or if it would reveal Personal Data about another
      person. We may also refuse any request if applicable law allows or
      requires us to do so. We will inform you of the reasons for refusal.

    3. If you choose to contact us to submit a request, you will need to
      provide us with:

      1. Enough information to identify you [(e.g., your full name,
        address, birthdate, or other identifier)]

      2. A description of what right you want to exercise and the
        information to which your request relates.

    4. We are not obligated to make a data access or data portability
      disclosure if we cannot verify that the person making the request is
      the person about whom we collected information, or if someone
      authorized to act on such person’s behalf.

    5. Any Personal Data we collect from you to verify your identity in
      connection with your request will be used solely for the purposes of

      1. The right to request access. You have the right to request AECOM for copies of your
        Personal Data.

      2. The right to request rectification. AECOM relies on you to ensure the information you provide to
        AECOM about you is accurate, complete and current. If any
        Personal Data is inaccurate or incomplete, you may request that
        your Personal Data be corrected or completed. AECOM will correct
        or delete Personal Data as required by applicable law. You may
        also request to correct, amend, or delete Personal Data that has
        been processed in violation of applicable data protection

      3. The right to request erasure. You have the right to request AECOM delete your Personal Data
        under certain conditions.

      4. The right to withdraw consent.
        Where you have provided written consent (or positive opt-in) to
        the collection, processing, or transfer of Personal Data, you
        may have the legal right to withdraw consent. Where we have
        processed your Personal Data with written consent (or positive
        opt-in), you can withdraw that consent at any time. Note –
        withdrawing consent will not affect the lawfulness of any
        processing the Company conducted prior to withdrawal, nor will
        it affect the processing of the Personal Data conducted in
        reliance on a lawful basis other than consent.

      5. The right to request portability. You have the right to request AECOM transfer your Personal
        Data that we have collected to another organization, or directly
        to you, under certain conditions.

      6. The right to restrict processing. You have the right to request that AECOM restrict the
        processing of your Personal Data, under certain

      7. The right to opt-out of email marketing. You can opt-out of email marketing communications at any time
        by selecting the email’s “Opt-out” or “Unsubscribe” link, or
        following the instructions included in each email subscription

      8. Results of automated decision making. You have the right to request AECOM to conduct a review of
        automated decision making that impacts you.

      9. The right to file a complaint. If you consider that your privacy rights have not been
        adequately addressed, you have the right to submit a complaint
        to the AECOM Privacy Office or with the supervisory authority in your country of

    6. You can submit a request to exercise these data privacy rights to
      the AECOM Privacy Office at
      California residents may also call 888.299.9602. AECOM will request
      specific information to help confirm identity and rights.

    7. AECOM will not discriminate against individuals for exercising any of
      their privacy rights allowed or required by applicable data protection
      law or regulation.

  8. Sharing and Onward Transfer

    AECOM shares Personal Data in the following ways:

    1. AECOM Staff: AECOM shares Personal Data among staff having a legitimate
      business need to know based on their respective role with the

    2. Subsidiaries and Affiliates: AECOM shares information among AECOM subsidiaries and affiliates
      for the purposes described in this Privacy Notice where consistent
      with applicable legal requirements.

    3. Service Providers: AECOM shares Personal Data to selected affiliated or trusted
      service providers to perform services on behalf of the organization.
      These trusted service providers include, but are not limited to
      Information Technology Providers, Cloud Providers, Data Hosting
      Services, Denied and Restricted Party Screening Providers,
      Background Check Providers, and Data Storage Providers.

    4. Clients: AECOM shares certain Personal Data as part of our professional
      services under contract to our clients, including governmental
      agencies, for project-related work, security clearances or as
      required by security protocols.

    5. Other Third Parties: AECOM discloses certain Personal Data to other third

      1. where required by law or legal process (e.g., to tax and social
        security authorities);

      2. where AECOM determines it is lawful and appropriate;

      3. to protect AECOM’s legal rights (e.g., to defend a litigation suit
        or under a government investigation or inquiry) or to protect its
        employees, resources, and workplaces; or

      4. in an emergency where health or security is at stake.

    6. Public Security/Law Enforcement: AECOM may be required to disclose Personal Data in response to
      lawful requests by public authorities, including meeting national
      security or law enforcement requirements.

    AECOM is a global company, with offices, Clients, and Suppliers located
    throughout the world. As a result, Personal Data may be transferred to
    other AECOM offices, data centers, and servers in Europe, Asia, South
    America, or the United States for the purposes identified. Any such
    transfer of Personal Data shall take place only under applicable law and
    the use of Standard Contract Clauses, European Union Standard Contract
    Clauses and data protection agreements.

    AECOM will take steps designed to comply with all applicable local laws
    when Processing Personal Data, including any local law conditions for and
    restrictions on the transfer of Personal Data.

    AECOM may also protect data through other legally valid methods, including
    international data transfer agreements or Standard Contractual Clauses
    that have been recognized by Data Protection Authorities as providing an
    adequate level of protection to the Personal Data we process globally.

    AECOM will ensure all transfers of Personal Data are subject to
    appropriate safeguards as defined by data protection laws and regulations.

  9. Data Security

    AECOM has adopted and maintains reasonable and appropriate information
    security policies, processes and/or procedures to safeguard Personal Data
    from loss, misuse, unauthorized access, disclosure, alteration,
    destruction, and other Processing. However, no method of transmission over
    the Internet, or method of electronic storage, is 100% secure. As such, we
    cannot promise, ensure, or warrant the security of any Personal Data that
    you may provide to us.

    AECOM’s information security processes provide for the classification of
    information and the assignment of protection requirements and information
    security controls based on the classification of information. The
    safeguards used to protect Personal Data is commensurate with the level of
    risk involved.

  10. Additional information for California Residents

    1. AECOM does not sell Personal Data as part of its business practices.
      In compliance with Cal. Civ. Code § 1798.130(a)(5)(C)(i), the Company
      reaffirms that it has not sold your Personal Data in the preceding 12

    2. In compliance with Cal. Civ. Code §1798.130(a)(5)(C)(ii) AECOM has
      shared the following Personal Data for a business purpose in the
      preceding 12 months:

      1. Identifiers (e.g., a real name, alias, postal address, unique
        personal identifier, online identifier, Internet Protocol address,
        email address, account name, social security number, driver's
        license number, passport number, or other similar identifiers).

      2. Information that identifies, relates to, describes, or is capable
        of being associated with, a particular individual, including, but
        not limited to, the individual’s name, signature, social security
        number, physical characteristics or description, address,
        telephone number, passport number, driver's license number, or
        state identification number, insurance policy number, education,
        employment, employment history, bank account number, credit card
        number, debit card number, or any other financial information,
        medical information, or health insurance information.

      3. Characteristics of protected classifications under California or
        federal law.

      4. Internet or other electronic network activity information (e.g.,
        browsing history, search history, and information regarding an
        individuals interaction with an Internet
        Web site, application, or advertisement).

      5. Audio, electronic, visual, thermal, olfactory, or similar

      6. Professional or employment-related information.

      7. Inferences drawn from any of the information identified above to
        create a profile about an individual reflecting the
        individuals preferences, characteristics,
        psychological trends, predispositions, behavior, attitudes,
        intelligence, abilities, and aptitudes.

    3. In addition to the rights discussed in Section 7, California residents
      have certain other privacy rights as described below. You can submit a
      request to exercise these data privacy rights to the AECOM Privacy
      Office at You may also call 888.299.9602.

    4. You have the right to know:

      1. The categories of Personal Data the Company has collected about

      2. The categories of sources from which the Personal Data is
        collected about you.

      3. AECOM’s business or commercial purpose for collecting or sharing
        Personal Data about you.

      4. The categories of third parties with whom the Company shares
        Personal Data about you.

      5. The categories of Personal Data that the Company has disclosed
        about you for a business purpose.

      6. The specific pieces of Personal Data the Company have collected
        about you.

    5. Please note that the Company are not required to:

      1. Retain any personal data about you if, in the ordinary course of
        business, that information about you is not retained.

      2. Reidentify or otherwise link any data that, in the ordinary course
        of business, is not maintained in a manner that would be
        considered Personal Data; or

      3. Provide the Personal Data to you more than twice in a 12-month

  11. Exceptions

    Under certain limited or exceptional circumstances, AECOM may, as
    permitted or required by applicable laws and regulations, process Personal
    Data without providing notice, access or seeking consent. Examples of such
    circumstances may include investigation of specific allegations of
    wrongdoing, violation of company policy or criminal activity; protecting
    employees, the public, or AECOM from harm or wrongdoing; cooperating with
    law enforcement agencies; auditing financial results or compliance
    activities; responding to court orders, subpoenas or other legally
    required disclosures; meeting legal or insurance requirements or defending
    legal claims or interests; satisfying labor laws or agreements or other
    legal obligations; collecting debts; protecting AECOM’s information
    assets, intellectual

    property and trade secrets; in emergency situations, when vital interests
    of the individual, such as life or health, are at stake; with respect to
    access requests, where the burden or expense of providing access would be
    disproportionate to the risks to the individual’s privacy or the privacy
    interests of others would be jeopardized; and in cases of business

  12. Other Important Information

    1. Privacy laws and guidelines are part of a constantly changing
      environment. AECOM reserves the right, at its discretion, to modify,
      add, or remove portions of this Privacy Notice or any supplemental
      privacy notice at any time. Any material change to this Privacy
      Notice will be made available to you. When the Company makes
      material changes, the Company will also update Section 15 – Change Log.

    2. AECOM commits to cooperate with European Union data protection
      authorities (DPAs) and comply with the advice given by such
      authorities regarding human resources data transferred from the
      European Union in the context of the employment relationship.

    3. If you are in the European Union, the European Economic Area,
      Switzerland, or the United Kingdom, the data controller of your
      Personal Data will be the AECOM entity that signs a contract with you
      or for which you submit your CV/resume in response to a job

    4. If you consider that your rights have not been adequately addressed,
      you have the right to submit a complaint with the supervisory
      authority in your country of residence, place of work, or the country
      in which an alleged infringement of data protection law has occurred.

  13. Contacting AECOM Privacy Office

    1. Any questions regarding this Notice or general privacy-related
      questions or concerns related to your Personal Data should be
      addressed to the AECOM Privacy Office at:

    2. For Germany inquiries, you may use the following email address:

  14. Terms and Definitions


    Data Privacy

    means the legal rights and expectations of individuals to control
    how their Personal Data is collected and used.


    Personal Data

    means any information relating to describing, reasonably capable of
    being associated with, or capable of reasonably being linked,
    directly or indirectly, to an identified or identifiable natural



    means any operation or set of operations that is performed upon
    Personal Data.


    Sensitive Personal Data

    has definitions that vary from country to country. For example,
    European data protection laws treat certain categories of Personal
    Data as especially sensitive, e.g., biometric, information about
    racial or ethnic origin, political opinions, religious or
    philosophical beliefs, trade union membership, information
    specifying medical or health conditions, or sex life.

    In the United States, sensitive information may include, but is not
    limited to, Social Security numbers, bank account numbers, passport
    information, healthcare related information, medical insurance
    information, credit and debit card numbers, drivers’ license and
    state ID information, information from children under the age of 13,
    biometric information, genetic data, precise geo-location, and
    information about racial or ethnic origin, religious or
    philosophical beliefs, sex life, sexual orientation or union


  15. Change Log‌

Rev #

Change Date

Description of Change

Location of Change



Initial release as L1-007-PL5



  • Section 6, subsection i – the inclusion of a chart that outlines
    specific rights for California residents.

  • Section 6, subsection i – the inclusion of the Ethics hotline as a
    secondary method for California residents to submit privacy rights

  • Section1, updated to include applicability to job applicants and

  • Section 2, inclusion of a table representing examples of personal
    data collected to comply with transparency requirements under GDPR,
    CCPA and other data protection laws.

  • Section 12 – updated definitions for Personal Data and Sensitive
    Personal Data to comply with CCPA

  • Section 7 – removed reference to Privacy Shield principles as a
    mechanism to transfer personal data from the European Union.

  • Section 7 – inclusion of the use of European Union Standard Contract
    Clauses and data protection agreements as a mechanism for transfer
    of personal data from the European Union.

  • Removed section 8 – reference EU-US Privacy Shield.



  • Removed references to Privacy Shield in sections 4, 6, and 9



  • Section 1 –updated entire section to clarify terms and requirements.

  • Section 2.1 – added new section 2.1 for public website data

  • Section 2.2 – added new section 2.2 for collection and processing of
    candidate data.

  • Section 2.3 – added new section 2.3 for collection and processing of
    contractor and subcontractor data.

  • Section 2.4 – added new section 2.4 for collection and processing of
    client and vendor data.

  • Section 3 – added new section 3 for change of purpose of processing

  • Section 5 – Updated section 5 for lawful basis of processing data.

  • Section 6 – made updates to use and retention of data.

  • Section 7 – added right of human intervention for automated decision
    making results.

  • Section 8 – made updates for sharing and onward transfer of data.

  • Section 10 – added new section 10 for California residents.

  • Section 13 – updated section to reflect email contact for Germany