1. Introduction
Arcadis understands that being open and transparent about how we manage, use and process your personal data is of the upmost importance. We are committed to protecting your personal data.
How do we ensure your data is protected and what are your rights?
Privacy Notice – whether you’re a client, supplier or business partner this Privacy Notice explains how and why we collect and use your personal data. It also outlines your rights on how to obtain, review or withdraw your data. We may change this Privacy Notice from time to time. Any such changes will be posted here, and any material changes will be made prominent. We encourage you to review this page from time to time.
Bespoke notices and supplementary privacy statements may contain further information about how Arcadis is processing your personal data. In those instances, such privacy notices will be communicated to you separately. These privacy notices may vary among the countries in which we operate to reflect local practices and applicable law requirements. In case of conflict, country or bespoke notices will take precedence over this notice.
1.1 Contact Us:
For privacy related queries incl. rectification requests, access requests and complaints please contact privacy@arcadis.com.
2. General
This Privacy Notice is applicable to the processing of all personal data of Business Contacts of Arcadis N.V. and its group companies (together ‘Arcadis’). ‘Business Contact’ or ‘you’ means each individual whose personal data is processed by Arcadis in its role as controller. This is when you work at a client, supplier or business partner of Arcadis, when you are a recipient of commercial messages of Arcadis or when you have another business relationship with Arcadis. This also includes contingent workers, people working at Arcadis as consultants or employees of third parties providing services to Arcadis.
Depending upon your location, the company from the Arcadis group operating in such location will be responsible for processing your personal data. The contact details of the Arcadis company responsible for processing your personal data, your local privacy officer and the competent supervisory authority can be found on your local website.
For certain processing operations Arcadis N.V. may also be the controller for your personal data. The local Arcadis entity and Arcadis N.V. may be jointly responsible for the processing of your personal data. The contact details of Arcadis N.V. can be found on the Arcadis website (www.arcadis.com) and the Chief Privacy Officer you can reached under at privacy@arcadis.com.
3. How do we collect personal data?
We collect your personal data both online and offline. Most commonly, we receive your personal data:
- From your direct interaction with us, either when doing business with you or when you visit our events or website.
- From your employer when your employer is our client, supplier or business partner, so we can perform our services and work with you.
- From public and private data sources like sanction lists, trade registers and LinkedIn, for instance where we need such personal data to verify your identity before we do business with you.
In addition, in order to comply with legal and regulatory obligations, to protect the assets and employees/contractors of Arcadis and specifically to ensure that Arcadis can comply with trade control, anti-money laundering and/or bribery and corruption laws and other regulatory requirements, we carry out screening (pre-contract and on a periodic basis post-contract) on owners, shareholders and directors of our Business Customers, Suppliers and Business Partners. This screening takes place against publicly available, or government issued sanctions lists and media sources. The screening does not involve profiling or automated decision making in relation to the counterparties or potential counter-parties.
4. Purposes for which Arcadis processes your personal data
Arcadis processes your personal data for the purposes set out below. We also inform you of the legal ground on the basis of which we process your personal data. Where we rely on legitimate interest as a legal ground, we will always seek to maintain a balance between our legitimate business interests and your privacy as described below:
Assessment and acceptance of clients, conclusion and execution of agreements with clients, suppliers and business partners. This purpose includes processing of personal data that is necessary in connection with the assessment and acceptance of clients, suppliers and business partners, including confirming and verifying the identity of relevant Business Contacts (this may involve the use of a credit reference agency or other third parties) and conducting due diligence and screening against publicly available government and/or law enforcement agency sanctions lists (e.g. for compliance requirements). This purpose also includes the processing of personal data necessary to conclude and execute agreements with clients, suppliers and business partners, including required screening activities (e.g. for access to Arcadis’ premises or systems), delivery of client services, and to record and financially settle delivered services and projects to and from Arcadis.
The legal grounds for these processing activities are:
- compliance with a legal obligation to which Arcadis is subject; or
- our legitimate interest.
Development and improvement of Arcadis’ services. This purpose addresses processing of personal data that is necessary for the development and improvement of Arcadis services and for research and development. This includes processing of business contact personal data for surveys, reviews and research.
The legal ground for these processing activities is our legitimate interest.
Relationship management and marketing. This purpose includes processing of personal data that is necessary for activities such as maintaining and promoting contact with clients, suppliers and business partners via marketing communications, account management, client services, execution and analysis of market surveys and marketing strategies.
The legal grounds for these processing activities are:
- Our legitimate interest; or
- Consent
Business process execution, internal management and management reporting. This purpose includes processing of personal data that is necessary for the management of company assets, conducting audits and investigations, reviewing and monitoring compliance with internal policies and procedures, finance and accounting, implementing business controls, providing central processing facilities for efficiency purposes and managing mergers, acquisitions and divestitures. This purpose also includes processing personal data for management reporting and analysis, archiving and insurance, legal or business consulting and preventing, preparing for or engaging in dispute resolution.
The legal grounds for these processing activities are:
- compliance with a legal obligation to which Arcadis is subject; or
- our legitimate interest
Health, safety, security and integrity purposes. This purpose includes the processing of personal data that is necessary for the protection of the rights, interests and assets of Arcadis and its employees, clients, suppliers and business partners and activities such as those involving health and safety. It also includes the authentication of client, supplier or business partner status and access rights.
The legal grounds for these processing activities are:
- the fact that the processing is necessary for the performance of a contract to which you are a party;
- compliance with a legal obligation to which Arcadis is subject; or
- our legitimate interest.
Compliance with the law. This purpose includes the processing of personal data that is necessary for the performance of a task carried out to comply with a legal obligation to which Arcadis is subject, including the disclosure of personal data to government institutions or supervisory authorities.
The legal ground for these processing activities is compliance with a legal obligation to which Arcadis is subject.
Protection of the vital interests of Business Contacts. This purpose includes the processing of personal data that is necessary to protect the vital interests of you as our Business Contact.
The legal ground for these processing activities is protection of the vital interests of an individual.
5. Categories of personal data
The below overview contains the categories of personal data processed by Arcadis for the purposes described in this Privacy Notice. If Arcadis processes other categories of personal data than as listed in this Privacy Notice, you will be informed separately thereof where required and consent will be sought if legally required.
Your personal details: including work e-mail address, work telephone number and work address; private email address, private telephone number, home address; job function or position; job history; picture or video.
Your company and communication details: correspondence between you and Arcadis; information to check your identity; your relationship with Arcadis; your behaviour towards Arcadis, its employees or clients, suppliers and business partners; of your business; publicly available data, such as information relating to owners, majority shareholders, and top-level management or executives; online available information (information on the processing of personal data that is collected via cookies or similar technologies, can be found in the cookie statements on the Arcadis websites)
6. Sensitive personal data
In the course of your business relationship with Arcadis, Arcadis may need to collect certain data viewed as ‘sensitive’ because they reveal intimate characteristics, such as religion, ethnicity, criminal acts or health. Such sensitive data shall only be used within the strict limits set out by applicable local law.
Such sensitive data processing activities conducted by Arcadis may, in accordance with applicable local requirements, include the following:
Your image may be processed by Arcadis in as far as necessary for identification or future reference purposes, for site access and security reasons and for the identification and authentication of clients, suppliers or business partners.
Data relating to criminal behaviour, criminal records or proceedings regarding criminal or unlawful behaviour may be processed by Arcadis in as far as necessary for assessment and acceptance of clients, suppliers or business partners, for the protection of the rights, interests and assets of Arcadis, its employees and clients, suppliers and business partners and to comply with applicable legal obligations.
Physical or mental health data may be processed by Arcadis in as far as necessary for the assessment and acceptance of a client, supplier or business partner, the execution of an agreement with a client, supplier and business partner, compliance with Arcadis’ duty of care towards clients, suppliers and business partners and for the protection of your vital interests.
Personal data on religion or beliefs may be processed by Arcadis in as far as necessary to accommodate specific services for a client, including dietary requirements or religious holidays.
Where required, your explicit consent will be sought before the processing of sensitive personal data takes place. Other legal grounds on the basis of which Arcadis may process the sensitive personal data as described above are:
- the legitimate interest of Arcadis to protect its rights, interests and assets and the rights, interests and assets of its employees, clients, suppliers and business partners;
- the legitimate interest of Arcadis to ascertain your identity and status; or
- compliance with a legal obligation of which Arcadis is subject.
7. For what period does Arcadis retain your personal data?
In general, Arcadis will retain your personal data for the duration of your business relationship with Arcadis (e.g. during the time Arcadis services are delivered to your employer and you are our Business Contact) and for the time it is necessary to keep your personal data after the end of the services. This period will depend on our purpose of use of your personal data. Examples are:
- Where your business contact details are included in our invoices, we will keep your personal data together with our invoices (usually 7 years based on tax legislation).
- Where your business contact details are included in our project plans, we will retain your personal data in accordance with our project plan retention periods (usually 10 years depending on the project).
- Where we need your personal data for identification and screening purposes, we will keep your personal data for as long as we are required to keep proof of the screening based on local law.
- If you are one of our prospects, we will keep your contact details during the time that Arcadis sends you commercial messages you are interested in (such as newsletters) and 24 months thereafter.
Arcadis will deviate from these retention periods if Arcadis has a pressing interest to keep your personal data longer (e.g. in case of ongoing or expected litigation).
8. Personal data access
Access to your personal data is only authorized to the extent such access is necessary to serve the intended purpose and for the respective staff to perform their job. Staff that are authorized to access your personal data may include your Arcadis point of contact, and Arcadis personnel such as within Finance, Reporting, Internal Audit, IT, marketing and Legal.
From time to time, Arcadis may need to make personal data available to unaffiliated third parties, such as service providers (companies that provide products and services to Arcadis such as payment providers, IT systems suppliers), professional advisors (such as accountants, auditors, or lawyers), public and governmental authorities (entities that regulate or have jurisdiction over Arcadis such as regulatory authorities, law enforcement, public bodies and judicial bodies), or in the context of corporate transactions (in connection with any proposed or actual reorganization, merger or sale). Arcadis will put in place agreements with third party service providers and professional advisors to protect your data protection interests.
9. Transfer of personal data
Due to the global nature of Arcadis’ operations, Arcadis may need to disclose personal data to its own personnel and departments in other countries. Where your personal data have been transferred to companies within the Arcadis group and/or to authorized third parties located outside of your country we take organizational, contractual and legal measures to ensure that your personal data are exclusively processed for the purposes mentioned above and that adequate levels of protection have been implemented in order to safeguard your personal data. These measures include Binding Corporate Rules for transfers among the Arcadis group and for Arcadis companies in the EU, European Commission approved transfer mechanisms for transfers to third parties as well as any additional local legal requirements. You can find a copy of Arcadis Binding Corporate Rules by contacting privacy@arcadis.com.
10. Security
Arcadis has taken appropriate technical, physical and organizational measures to protect personal data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure acquisition or access, that are consistent with applicable privacy and data security laws and regulations. This includes requiring service providers to use appropriate measures to protect the confidentiality and security of personal data.
11. Individual rights and complaints
We aim to keep our information as accurate as possible. You can:
- request access to your personal data
- request correction or deletion of the personal data (but only where they are no longer required for a legitimate business purpose)
- request that the processing of your personal data is restricted
- withdraw consent to the processing of your personal data
To make any of these requests, please contact your local Privacy Officer or privacy@arcadis.com.
For data protection or privacy related issues, queries or complaints regarding the processing of your personal data, please refer to the relevant Privacy notice of your location or alternatively you can contact privacy@arcadis.com.
If you are unsatisfied with the handling of your personal data by Arcadis, you have the right to lodge a complaint to your local data protection authority (if there is one) or the Dutch Data Protection Authority whose address is Prins Clauslaan 60, 2595 AJ The Hague, The Netherlands.
12. Cookies and similar technologies
Arcadis may use cookies and similar technologies that aim to collect and store information when you visit an Arcadis website. This is to enable Arcadis to identify your internet browser and collect data on your use of our website, which pages you visit, the duration of your visits and identify these when you return so that we improve your experience when visiting our website(s). You can control and manage your cookie preferences by adjusting your browser settings or using the Arcadis cookie preference tool on Arcadis websites. For more information, please refer to the Arcadis Cookie statement.