Privacy Policy

Revision 3 January 20, 2023

1. Purpose and Scope

   AECOM takes your privacy seriously. Please read this privacy
   notice(“Notice”) carefully as it contains essential information on how and
   why AECOM and its subsidiaries and affiliates (collectively, “AECOM” or
   the “Company”) Processes your Personal Data. This Notice also explains
   your rights concerning your Personal Data and how to contact Company
   representatives or supervisory authorities in case you have a complaint.

   Within the context of this Notice, “Personal Data” means any information
   relating to an individual who can be identified, directly or indirectly,
   by reference to an identifier such as a name, an identification number,
   location data, an online identifier or to one or more factors specific to
   the physical, physiological, genetic, mental, economic, cultural, or
   social identity of that individual.

   Personal Data does not cover aggregated data, data rendered anonymous, or
   data that has been de-identified. Aggregate data relates to a group or
   category of individuals from which individual identities have been
   removed. Data is rendered anonymous if individual persons are no longer
   identifiable. De-identified data is data that has had identifiable
   elements removed, and cannot reasonably identify, relate to, describe, be
   capable of being associated with, or be linked, directly or indirectly, to
   a particular individual.

   To “Process” Personal Data means any operation or set of operations
   performed upon Personal Data, whether by automatic means or otherwise.
   This includes the collection, recording, organization, storage, updating
   or modification, retrieval, consultation, use, disclosure by transmission,
   dissemination or making available in any other form, linking, alignment or
   combination, blocking, erasure, or destruction of Personal Data.

   The Company will only Process Personal Data according to this Notice
   unless otherwise required by applicable law. The Company takes steps to
   ensure the Personal Data collected is adequate, relevant, not excessive,
   processed for limited purposes, and stored for no longer than is
   reasonably necessary in furtherance of those purposes. The Company does
   not sell “Personal Data”, nor does it share it with third parties for
   cross-context, behavioural advertising.

   If you fail to provide certain Personal Data when requested, the Company
   may not be able to fully perform services as your Employer (such as paying
   you or providing certain employment-related benefits), or the Company
   could be prevented from complying with AECOM’s legal obligations (such as
   to ensure the health and safety of its workers).

   Where local laws are stricter than the policies described in this notice,
   AECOM has adopted specific privacy practices in those locations to satisfy
   those stricter requirements. AECOM will notify employees of such specific
   privacy practices and, in some cases, obtain consent where required by
   law. Where local laws are less strict than this policy, the protections
   described in this notice will apply.

   AECOM collects Personal Data directly from you – in person, by telephone,
   text or email, websites, and apps, or from third-party sources for various
   business purposes as described herein.

   When the text of this Notice or any supplemental notice is available in
   multiple languages, the English version is the authoritative version.

2. Collection and Processing Data

   1. Public Website Data Collection

      1. Information We Collect Automatically

         Our servers automatically log information about your use of and
         visits to the Services, including through the use of cookies, Web
         beacons, and similar technologies to help personalize content and
         ads, and to analyze website traffic. For example, we may collect
         your IP address, the type of web browser and operating system used
         to access the Services, the time and duration of your visits, and
         information about the content and webpages you view and the
         features you access on the Services.

      2. Information from Third Parties

         We may receive additional information about you from other
         publicly and commercially available sources, as permitted law. We
         may combine all the information we collect or receive about you
         and use or disclose it in the manner described in this Notice.

         As you navigate AECOM’s public website, AECOM may collect
         information such as your Internet Protocol (IP) address, Web
         browser information and your actions while on the site. This
         information will be collected, if at all, using commonly used
         information-gathering tools, such as cookies and web beacons.
         Standing alone, this information does not directly identify you
         personally. You can configure the types of cookies that will be
         active while browsing with the consent manager accessible from the
         site.

      3. Information You Provide Directly

         When expressing interest in AECOM’s products or services or using
         our “Contact Us” or similar features, you may have the option to
         provide contact information such as your name, job title,
         organization name, address, e-mail address, phone number,
         comments, and interests.

         We use your information for the following purposes:

         1. To manage your relationship with AECOM and better serve you
            when you are using the Services by personalizing and improving
            your experience. We also may use such information to analyse
            how users use the Services and related analysis, research,
            reporting, and troubleshooting and as we believe is necessary
            or appropriate to protect, enforce, or defend legal rights,
            privacy, safety, or property, whether our own or that of our
            employees or agents or others, and to comply with applicable
            law.

         2. To provide the AECOM website and other services to you, to
            communicate with you about your use of our site and services,
            to diagnose technical problems, to respond to your inquiries,
            and for other customer service purposes.

         3. To tailor the content and information that we may send or
            display to you, to offer location customization, and
            personalized help and instructions, and to otherwise
            personalize your experiences while using the Public Website.

         4. To send you marketing information, product recommendations,
            and other non-transactional communications (e.g., marketing
            newsletters) about us, including information about our
            products and services, promotions, special offers, or events
            as necessary or to otherwise contact you about products or
            information we think may interest you. You can opt out of
            being contacted by us for marketing or promotional purposes by
            following the instructions in the marketing emails we send or
            by using the information in the Contact Us” section.
            Additional restrictions on AECOM being able to send you
            marketing information may apply depending on the jurisdiction.

      4. Third-Party Links

         The AECOM website may contain links to other websites or
         third-party applications such as Facebook, Twitter, LinkedIn, or
         YouTube. AECOM is not responsible for the privacy practices or the
         content of these other websites or applications, and we advise you
         to refer to the policy statements of these third parties to
         understand how they collect and use information.

         1. Cookies, Web Beacons, and Similar Technologies

            The Services — as well as certain third parties that provide
            content and other functionality on the Services — use a
            variety of technologies to learn more about how people use the
            Services and the Internet. This section provides more
            information about some of those technologies and how they
            work.

            1. Cookies:
               Cookies are small text files used to store information
               about users on the users’ own computer. Cookies may be
               used to recognize you as the same user across different
               visits to the website. Knowing how a user is using the
               Services through cookies enables us to tailor our
               content and Services to meet visitors’ needs more
               effectively. It also enables us to improve the quality
               of your visit by making sure that the Services are
               properly formatted for your computer and web browser.
               Some Internet browsers can be configured to warn you
               each time a cookie is being sent or to refuse cookies
               completely. Refer to your browser help menu for more
               information. You can also manage cookie tracking
               directly through the third-party service providers that
               we use.
               

            2. Google Analytics:
               You may prevent your data from being used by Google
               Analytics by downloading and installing the Google
               Analytics Opt-out Browser Add-on, available at https://tools.google.com/dlpage/gaoptout/. Google’s ability to use and share information
               collected by Google Analytics about your visits to this
               Site is restricted by the Google Analytics Terms of
               Service, available at http://www.google.com/analytics/terms/us.html, and the Google Privacy Policy, available at http://www.google.com/policies/privacy/. To learn more about how Google collects and processes
               data in connection with Google Analytics, visit http://www.google.com/policies/privacy/partners/.

            3. Hotjar:
               You can opt-out of tracking by Hotjar here:https://www.hotjar.com/opt-out/ and can learn about Hotjar’s ability to use and share
               information through the Hotjar Terms & Conditions of
               Use, available at https://www.hotjar.com/terms, and the Hotjar Privacy Policy, available at https://www.hotjar.com/privacy/.

            4. Wistia:
               Information collected by Wistia in connection with
               videos played on this website is covered by Wistia’s
               Privacy Policy, available at https://wistia.com/privacy.

            5. Other local storage:
               Local Shared Objects (also referred to as “Flash
               cookies”) and HTML5 local storage are similar to cookies
               in that they are stored on your computer and can be used
               to store certain information about your activities and
               preferences. These objects are stored in different parts
               of your computer from ordinary browser cookies, however.
               Many Internet browsers allow you to disable HTML5 local
               storage or delete information contained in HTML5 local
               storage using browser controls.

            6. Web Beacons:
               Web beacons can be embedded in web pages, videos, or
               emails, and can allow a web server to read certain types
               of information from your browser, check whether you have
               viewed a particular web page or email message, and
               determine, among other things, the time and date on
               which you viewed the Web beacon, the IP address of your
               computer, and the URL of the web page from which the Web
               beacon was viewed.

            7. Do Not Track Signal:
               Some web browsers may transmit “do-not-track” signals
               to the websites with which the user communicates. We do
               not currently take action in response to those signals.
               If an industry standard on responding to such signals is
               established and accepted, we may reassess how to respond
               to those signals.

            8. Children’s Information:
               The Company’s website and services is intended to be
               used by adults and corporate entities interested in
               AECOM. They are not intended for children, and AECOM
               does not knowingly collect or store personal information
               about children under the age of 13.

   2. Job Applicants/Candidates
      

      1. AECOM collects “Personal Data” from you in connection with your
         resume and the application you submit to us when applying for a
         job. We use your information to evaluate your skills and abilities
         for job opportunities, verify your information, carry out
         reference checks and/or background checks (where applicable),
         communicate with you about the recruitment process, recommend
         potential career opportunities at AECOM, creating and/or
         submitting reports as required under applicable laws/regulations,
         and making improvements to AECOM’s application or recruitment
         process.

      2. The Personal Data we collect may include:

         1. Identification Data
            – such as full name, preferred name, home address, email
            address, telephone number, and photo/image (if volunteered),
            citizenship status, nationality.

         2. Demographic Data
            – such as gender, ethnicity, disability status, gender
            identity, transgender status, sexual orientation, and
            religion.

            AECOM processes demographic data for a variety of reasons, and
            this will vary in our different jurisdictions. Our reasons for
            processing this data include:

            1. To monitor and ensure diversity and equality of treatment
               and opportunity.

            2. To provide work-related accommodations or adjustments.

            3. To comply with applicable legislation.

         3. Employment and Professional
            – such as job title/position, hire/term/rehire dates,
            employer information, employment contacts, CV/resume,
            academic/professional qualifications, skills, work-related
            licenses, education, references, military status, work
            permits, current salary, desired salary.

         4. Other Data
            – We may also collect Personal Data about you from third
            parties or public sources to support the employment
            relationship or to engage with you concerning job
            opportunities at AECOM. For example, before and during your
            employment or assignment, we may collect information from
            public professional networking sources, such as your
            LinkedIn profile, for recruitment purposes. We also may
            conduct lawful background screenings, to the extent
            permitted by law, through a third-party vendor for
            information about your past education, employment, credit,
            and/or criminal history.

      3. If you are offered and accept employment with AECOM, the Personal
         Data collected during the job application and recruitment process
         may become part of your employment record.

      4. If you are not offered or accept employment AECOM will keep
         your CV/resume on file for future job openings. You may remove
         your CV/resume by logging into your profile or sending an email
         to privacyquestions@aecom.com.

   3. Contractors/Subcontractors
      

      1. AECOM collects “Personal Data” in connection with onboarding you
         as a contractor or subcontractor to perform our contract with you.
         We collect and use your “Personal Data” to evaluate your skills
         and experience, verify your data, to contact you for project
         opportunities and general business operations, conduct legal due
         diligence/anti- corruption screening, denied party checks,
         recording of work time, business continuity and incident response
         communications, administration of safety and protection of AECOM
         employees, resources, and workplaces, physical site access and
         security, accounting/government tax and auditing business
         purposes, administer quality, safety and compliance checks and
         reviews to qualify third party contractors for performing work in
         accordance with applicable quality standards such as ISO 9001 and
         NQA-1; including use of individuals who are required to maintain
         specific qualifications or certifications, administration of
         safety and protection of AECOM systems for recording and
         monitoring network activity for the purpose of identifying,
         predicting, and preventing the entry of malicious activity onto or
         the release of information from the AECOM network and computing
         resources, and to manage AECOM business and project-related
         operations.

      2. The Personal Data we collect includes:

         1. Identification Data
            – such as full name, preferred name, business address, home
            address, email address telephone number, username/password,
            date of birth, nationality, citizenship status, country of
            birth, photo/image, and biometric data (i.e., fingerprint
            scan) where applicable.

         2. Emergency Contacts
            – such as full name, and telephone number.

         3. Employment and Professional
            – such as job title/position, prior work or project
            experience, reference contacts, CV/resume,
            academic/professional qualifications, skills, work-related
            licenses, education, references, military status, work
            permits, training reports,

         4. Demographic Data
            –such as gender, ethnicity, gender identity, transgender
            status, sexual orientation, and religion.

      3. AECOM processes demographic data for a variety of reasons, and
         this will vary in our different jurisdictions. Our reasons for
         collecting this data include:

         1. To monitor and ensure diversity and equality of treatment and
            opportunity; and

         2. To provide work-related accommodations or adjustments; and

         3. Comply with applicable legislation.

      4. Where the processing of demographic data is not required by law,
         we will ask for your express consent.

         1. Government Issued Data
            – Social security number, federal tax identification
            number, national identification number, driver’s license
            number, passport number.

         2. Financial/Insurance Data
            – bank name and routing and account number, insurance
            policy information.

         3. Medical/Health
            – such as medical certificates, work site incident and
            accident reports,

         4. Other Data
            – We may also collect Personal Data about you from third
            parties or public sources as needed to support the business
            relationship or to engage with you concerning projects at
            AECOM. For example, before and during the business
            engagement, we may collect information from public sources
            and professional networking sources, such as MK Denial, your
            LinkedIn profile, etc. We also may conduct lawful background
            screenings, to the extent permitted by law, through a
            third-party vendor for information about your company
            information, personal credit, and/or criminal history.

   4. Client, Supplier, Joint Venture Staff
      

      1. As a business partner, AECOM collects Personal Data from you to
         manage existing and prospective clients, customers, suppliers, or
         other third-party relationships (e.g. in relation to the
         initiation, conclusion, or fulfillment of a contract); Communicate
         about products or services we offer or intend to offer, the
         improvement of our products or services, and the review of our
         business relationship; perform accounting, auditing, billing, and
         collection activities; meet legal obligations (e.g. financial and
         administrative obligations); and establish, enforce or defend
         against legal claims.

      2. The Personal Data we collect includes:

         1. Identification Data
            – such as full name, preferred name, business address,
            email address, and telephone number

         2. Other Data– such as data on invoices, purchase orders, agreements,
            bids, proposals, and other related business records

3. Change of Purpose for Processing Personal Data

   1. AECOM will only use your Personal Data for the purposes for which it
      was originally collected unless the Company reasonably considers that
      the Company needs it for another purpose compatible with the original
      purpose and there is a legal basis for further Processing. For
      example, the Company may Process the Personal Data you provide to us
      while researching job openings in reliance on AECOM’s legitimate
      interests in recruitment for roles, but once you apply for a specific
      role and are hired into that new role, the Company may need to Process
      your Personal Data in order to enter into an employment contract with
      you.

   2. However, if Personal Data covered by this Notice is to be used for
      a new purpose that is materially different from that for which the
      Personal Data was originally collected or subsequently authorized or
      is to be disclosed to a non-agent third party, AECOM will provide
      you with an opportunity to choose whether to have your Personal Data
      so used or disclosed. Requests to opt-out of such uses or
      disclosures of Personal Data should be sent to: privacyquestions@aecom.com.

4. How Data is Collected

   We use different methods to collect data from and about you:

   1. Direct Interactions: You give us your Personal Data when contacting us through
      candidate profiles, through interviews, or in response to surveys,
      jobs, projects, bids, through quality and compliance questionnaires,
      proposals, or other means. This includes information you provide
      when you submit your CV/resume or contact details through our
      website, email, and our alumni or talent networks.
      

   2. Third Parties or Publicly Available Sources: AECOM may obtain information about you from a representative of
      your company (if we are sub-contracting services), publicly
      available online records, background check providers, criminal
      records check, or past or current professional references you supply
      to us. The organization will seek information from third parties
      only once a job offer, or business opportunity has been made and
      will inform you or your company representative that it is doing
      so.
      

   We do not undertake automated decision making or profiling on Personal
   Data or Sensitive Personal Data.

5. Legal Basis for Processing

   1. Under data protection law, the Company can only collect and Process
      your Personal Data if there is a lawful or legitimate business reason
      for doing so, such as:

      1. To comply with legal and regulatory obligations.

      2. To meet any contractual obligations the Company may have to you.

      3. For AECOM’s legitimate interests or those of a third party (e.g.,
         business or commercial reasons that do not override your rights
         and interests under applicable data protection law).

      4. When the processing
         is necessary to respond to public health emergencies or protect
         the life, health, or property safety of a natural person under
         emergency circumstance.

      5. Where you have given your consent; or

      6. Other circumstances as required by laws or administrative
         regulations.

   2. AECOM adheres to the following guidelines to ensure that its
      collection of Personal Data is fair and lawful. Specifically, AECOM:

      1. Collects only as much Personal Data as is required by law or
         needed for reasonable and legitimate business purposes.

      2. Collects Personal Data in a non-deceptive manner.

      3. Where appropriate, informs individuals which Personal Data is
         required, and which is optional at the time of collection.

      4. Collects Personal Data from individuals consistent with local
         legal requirements.

   3. AECOM may need to collect Sensitive Personal Data. Where required
      under applicable local law, such Personal Data will be processed with
      consent. Where required by applicable local law, consent to transfers
      or uses of Sensitive Personal Data will be opt-in.

6. Use and Retention

   1. AECOM uses, stores, retains, and otherwise processes Personal Data
      only for reasonable business purposes and for only as required for
      that business purpose or as authorized.

   2. AECOM does not disclose Personal Data to third parties for direct
      marketing purposes, nor does it sell Personal Data. AECOM does not
      share Personal Data for purposes of behavioural marketing. Processing
      of Personal Data will comply with contractual, regulatory, and local
      legal requirements.

   3. Your Personal Data will be retained only for as long as required to
      achieve the purposes for which it was collected, in line with this
      Notice and will be securely destroyed when no longer required.

   4. The following criteria are what determine the period for which the
      Company will keep your Personal Data:

      1. When it is no longer required to be retained to comply with
         regulatory requirements or financial obligations.

      2. Until we are no longer required to do so by any law we are subject
         to.

      3. Until all purposes for which the data was originally gathered have
         become irrelevant or obsolete.

      4. Until the goods and/or services we have provided are no longer in
         active use.

   5. You have the right to submit a request to delete your data in our
      systems. Please note that in some cases where there is a compelling
      legal reason why we are required to keep your data, we will take
      measures to delete unnecessary data and continue to store data
      subjected to the legal requirement.

   6. Job candidate Personal Data may be processed and retained for
      immigration requirements as part of the rehire process, including the
      sharing of that data with legal advisers and government bodies. The
      length of time data may be stored will be based on laws relating to
      these requirements.

7. Data Privacy Rights

   1. Where permitted or required by applicable law, AECOM extends certain
      data privacy rights to you.

   2. Note that we may be unable to provide you access to your Personal Data
      in instances where we have destroyed, erased, or anonymized the data,
      if we are unable to verify your identity using information we have on
      file for you, or if it would reveal Personal Data about another
      person. We may also refuse any request if applicable law allows or
      requires us to do so. We will inform you of the reasons for refusal.

   3. If you choose to contact us to submit a request, you will need to
      provide us with:

      1. Enough information to identify you [(e.g., your full name,
         address, birthdate, or other identifier)]

      2. A description of what right you want to exercise and the
         information to which your request relates.

   4. We are not obligated to make a data access or data portability
      disclosure if we cannot verify that the person making the request is
      the person about whom we collected information, or if someone
      authorized to act on such person’s behalf.

   5. Any Personal Data we collect from you to verify your identity in
      connection with your request will be used solely for the purposes of
      verification.

      1. The right to request access. You have the right to request AECOM for copies of your
         Personal Data.

      2. 
         The right to request rectification. AECOM relies on you to ensure the information you provide to
         AECOM about you is accurate, complete and current. If any
         Personal Data is inaccurate or incomplete, you may request that
         your Personal Data be corrected or completed. AECOM will correct
         or delete Personal Data as required by applicable law. You may
         also request to correct, amend, or delete Personal Data that has
         been processed in violation of applicable data protection
         law.

      3. The right to request erasure. You have the right to request AECOM delete your Personal Data
         under certain conditions.

      4. The right to withdraw consent.
         Where you have provided written consent (or positive opt-in) to
         the collection, processing, or transfer of Personal Data, you
         may have the legal right to withdraw consent. Where we have
         processed your Personal Data with written consent (or positive
         opt-in), you can withdraw that consent at any time. Note –
         withdrawing consent will not affect the lawfulness of any
         processing the Company conducted prior to withdrawal, nor will
         it affect the processing of the Personal Data conducted in
         reliance on a lawful basis other than consent.

      5. The right to request portability. You have the right to request AECOM transfer your Personal
         Data that we have collected to another organization, or directly
         to you, under certain conditions.

      6. The right to restrict processing. You have the right to request that AECOM restrict the
         processing of your Personal Data, under certain
         conditions.

      7. The right to opt-out of email marketing. You can opt-out of email marketing communications at any time
         by selecting the email’s “Opt-out” or “Unsubscribe” link, or
         following the instructions included in each email subscription
         communication.

      8. Results of automated decision making. You have the right to request AECOM to conduct a review of
         automated decision making that impacts you.

      9. The right to file a complaint. If you consider that your privacy rights have not been
         adequately addressed, you have the right to submit a complaint
         to the AECOM Privacy Office or with the supervisory authority in your country of
         residence.

   6. You can submit a request to exercise these data privacy rights to
      the AECOM Privacy Office at privacyquestions@aecom.com.
      California residents may also call 888.299.9602. AECOM will request
      specific information to help confirm identity and rights.

   7. AECOM will not discriminate against individuals for exercising any of
      their privacy rights allowed or required by applicable data protection
      law or regulation.

8. Sharing and Onward Transfer

   AECOM shares Personal Data in the following ways:

   1. AECOM Staff: AECOM shares Personal Data among staff having a legitimate
      business need to know based on their respective role with the
      Company.
      

   2. Subsidiaries and Affiliates: AECOM shares information among AECOM subsidiaries and affiliates
      for the purposes described in this Privacy Notice where consistent
      with applicable legal requirements.
      

   3. Service Providers: AECOM shares Personal Data to selected affiliated or trusted
      service providers to perform services on behalf of the organization.
      These trusted service providers include, but are not limited to
      Information Technology Providers, Cloud Providers, Data Hosting
      Services, Denied and Restricted Party Screening Providers,
      Background Check Providers, and Data Storage Providers.
      

   4. Clients: AECOM shares certain Personal Data as part of our professional
      services under contract to our clients, including governmental
      agencies, for project-related work, security clearances or as
      required by security protocols.
      

   5. Other Third Parties: AECOM discloses certain Personal Data to other third
      parties:
      

      1. where required by law or legal process (e.g., to tax and social
         security authorities);

      2. where AECOM determines it is lawful and appropriate;

      3. to protect AECOM’s legal rights (e.g., to defend a litigation suit
         or under a government investigation or inquiry) or to protect its
         employees, resources, and workplaces; or

      4. in an emergency where health or security is at stake.

   6. Public Security/Law Enforcement: AECOM may be required to disclose Personal Data in response to
      lawful requests by public authorities, including meeting national
      security or law enforcement requirements.
      

   AECOM is a global company, with offices, Clients, and Suppliers located
   throughout the world. As a result, Personal Data may be transferred to
   other AECOM offices, data centers, and servers in Europe, Asia, South
   America, or the United States for the purposes identified. Any such
   transfer of Personal Data shall take place only under applicable law and
   the use of Standard Contract Clauses, European Union Standard Contract
   Clauses and data protection agreements.

   AECOM will take steps designed to comply with all applicable local laws
   when Processing Personal Data, including any local law conditions for and
   restrictions on the transfer of Personal Data.

   AECOM may also protect data through other legally valid methods, including
   international data transfer agreements or Standard Contractual Clauses
   that have been recognized by Data Protection Authorities as providing an
   adequate level of protection to the Personal Data we process globally.

   AECOM will ensure all transfers of Personal Data are subject to
   appropriate safeguards as defined by data protection laws and regulations.

9. Data Security
   

   AECOM has adopted and maintains reasonable and appropriate information
   security policies, processes and/or procedures to safeguard Personal Data
   from loss, misuse, unauthorized access, disclosure, alteration,
   destruction, and other Processing. However, no method of transmission over
   the Internet, or method of electronic storage, is 100% secure. As such, we
   cannot promise, ensure, or warrant the security of any Personal Data that
   you may provide to us.

   AECOM’s information security processes provide for the classification of
   information and the assignment of protection requirements and information
   security controls based on the classification of information. The
   safeguards used to protect Personal Data is commensurate with the level of
   risk involved.

10. Additional information for California Residents
    

    1. AECOM does not sell Personal Data as part of its business practices.
       In compliance with Cal. Civ. Code § 1798.130(a)(5)(C)(i), the Company
       reaffirms that it has not sold your Personal Data in the preceding 12
       months.

    2. In compliance with Cal. Civ. Code §1798.130(a)(5)(C)(ii) AECOM has
       shared the following Personal Data for a business purpose in the
       preceding 12 months:

       1. Identifiers (e.g., a real name, alias, postal address, unique
          personal identifier, online identifier, Internet Protocol address,
          email address, account name, social security number, driver's
          license number, passport number, or other similar identifiers).

       2. Information that identifies, relates to, describes, or is capable
          of being associated with, a particular individual, including, but
          not limited to, the individual’s name, signature, social security
          number, physical characteristics or description, address,
          telephone number, passport number, driver's license number, or
          state identification number, insurance policy number, education,
          employment, employment history, bank account number, credit card
          number, debit card number, or any other financial information,
          medical information, or health insurance information.

       3. Characteristics of protected classifications under California or
          federal law.

       4. Internet or other electronic network activity information (e.g.,
          browsing history, search history, and information regarding an
          individual‘s interaction with an Internet
          Web site, application, or advertisement).

       5. Audio, electronic, visual, thermal, olfactory, or similar
          information.

       6. Professional or employment-related information.

       7. Inferences drawn from any of the information identified above to
          create a profile about an individual reflecting the
          individual‘s preferences, characteristics,
          psychological trends, predispositions, behavior, attitudes,
          intelligence, abilities, and aptitudes.

    3. In addition to the rights discussed in Section 7, California residents
       have certain other privacy rights as described below. You can submit a
       request to exercise these data privacy rights to the AECOM Privacy
       Office at
       privacyquestions@aecom.com. You may also call 888.299.9602.

    4. You have the right to know:

       1. The categories of Personal Data the Company has collected about
          you.

       2. The categories of sources from which the Personal Data is
          collected about you.

       3. AECOM’s business or commercial purpose for collecting or sharing
          Personal Data about you.

       4. The categories of third parties with whom the Company shares
          Personal Data about you.

       5. The categories of Personal Data that the Company has disclosed
          about you for a business purpose.

       6. The specific pieces of Personal Data the Company have collected
          about you.

    5. Please note that the Company are not required to:

       1. Retain any personal data about you if, in the ordinary course of
          business, that information about you is not retained.

       2. Reidentify or otherwise link any data that, in the ordinary course
          of business, is not maintained in a manner that would be
          considered Personal Data; or

       3. Provide the Personal Data to you more than twice in a 12-month
          period.

11. Exceptions
    

    Under certain limited or exceptional circumstances, AECOM may, as
    permitted or required by applicable laws and regulations, process Personal
    Data without providing notice, access or seeking consent. Examples of such
    circumstances may include investigation of specific allegations of
    wrongdoing, violation of company policy or criminal activity; protecting
    employees, the public, or AECOM from harm or wrongdoing; cooperating with
    law enforcement agencies; auditing financial results or compliance
    activities; responding to court orders, subpoenas or other legally
    required disclosures; meeting legal or insurance requirements or defending
    legal claims or interests; satisfying labor laws or agreements or other
    legal obligations; collecting debts; protecting AECOM’s information
    assets, intellectual

    property and trade secrets; in emergency situations, when vital interests
    of the individual, such as life or health, are at stake; with respect to
    access requests, where the burden or expense of providing access would be
    disproportionate to the risks to the individual’s privacy or the privacy
    interests of others would be jeopardized; and in cases of business
    necessity.

12. 
    Other Important Information
    

    1. Privacy laws and guidelines are part of a constantly changing
       environment. AECOM reserves the right, at its discretion, to modify,
       add, or remove portions of this Privacy Notice or any supplemental
       privacy notice at any time. Any material change to this Privacy
       Notice will be made available to you. When the Company makes
       material changes, the Company will also update Section 15 – Change Log.

    2. AECOM commits to cooperate with European Union data protection
       authorities (DPAs) and comply with the advice given by such
       authorities regarding human resources data transferred from the
       European Union in the context of the employment relationship.

    3. If you are in the European Union, the European Economic Area,
       Switzerland, or the United Kingdom, the data controller of your
       Personal Data will be the AECOM entity that signs a contract with you
       or for which you submit your CV/resume in response to a job
       opportunity.

    4. If you consider that your rights have not been adequately addressed,
       you have the right to submit a complaint with the supervisory
       authority in your country of residence, place of work, or the country
       in which an alleged infringement of data protection law has occurred.

13. 
    Contacting AECOM Privacy Office
    

    1. Any questions regarding this Notice or general privacy-related
       questions or concerns related to your Personal Data should be
       addressed to the AECOM Privacy Office at: privacyquestions@aecom.com

    2. For Germany inquiries, you may use the following email address: datenschutz@aecom.com

14. Terms and Definitions
    

    a.	Data Privacy	means the legal rights and expectations of individuals to control how their Personal Data is collected and used.
    b.	Personal Data	means any information relating to describing, reasonably capable of being associated with, or capable of reasonably being linked, directly or indirectly, to an identified or identifiable natural person.
    c.	Processing	means any operation or set of operations that is performed upon Personal Data.
    d.	Sensitive Personal Data	has definitions that vary from country to country. For example, European data protection laws treat certain categories of Personal Data as especially sensitive, e.g., biometric, information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying medical or health conditions, or sex life. In the United States, sensitive information may include, but is not limited to, Social Security numbers, bank account numbers, passport information, healthcare related information, medical insurance information, credit and debit card numbers, drivers’ license and state ID information, information from children under the age of 13, biometric information, genetic data, precise geo-location, and information about racial or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation or union membership.

15. Change Log‌