1. Introduction
Arcadis N.V. and its group companies (together "Arcadis") are committed to protecting the privacy of their Employees. This Privacy Notice for Employee Data ("Notice") describes how Arcadis processes and protects personal data of employees. ‘Employee’ or ‘you’ in this Notice means:
- employees or former employees of Arcadis;
- interns, temporary workers who are individuals engaged by Arcadis or through a third-party agency, whereby the third-party agency has the responsibility for salary, tax and social security obligations of the temporary worker (excluding Contingent Workers); and
- (former) executive or non-executive directors of Arcadis or (former) members of the supervisory board or similar body to Arcadis.
Contingent workers who work for Arcadis either for their own account, or via a personal holding company owned by the individual are referred to the Arcadis Privacy Notice for Client, Supplier or Business Partner Data.
Your Arcadis employer is the controller of your personal data. Your local website specifies the local employer company responsible for the processing of your personal data. The contact details of your Arcadis employer you can find on your employment contract and the contact details of your local privacy officer and the competent supervisory authority can be found on your local website.
For certain processing operations Arcadis N.V. may also be the controller for your personal data. Your Arcadis employer and Arcadis N.V. may be jointly responsible for the processing of your personal data. The contact details of Arcadis N.V. can be found on the Arcadis website (www.arcadis.com) and the Chief Privacy Officer you can reach under privacy@arcadis.com.
Bespoke notices and supplementary privacy statements may contain further information about how Arcadis is processing your personal data. In those instances, such privacy notices will be communicated to you separately. These privacy notices may vary among the countries in which we operate to reflect local practices and applicable law requirements. In case of conflict, country or bespoke notices will take precedence over this notice.
For processing of personal data in relation to Lovinklaan, please see clause 12 of this Notice.
2. How do we collect personal data?
Usually, we obtain your personal data from you (e.g. because you provide us with your personal data directly or because personal data is collected while you perform your job at Arcadis). We may also obtain your personal data from public data sources like LinkedIn. Where we receive personal data from other sources, we will inform you thereof.
3. Purposes for which Arcadis processes your personal data
In the course of your employment with Arcadis, we will collect information relating to you and your working relationship with Arcadis and, where applicable, relating to your spouse, domestic/civil partner or dependents. We refer to such information as “personal data” and use such data for the purposes listed below. Where Arcadis processes your personal data for other purposes than listed in this Privacy Notice, you will be informed of this separately where required.
The list below also informs you of the legal ground on the basis of which we process your personal data. Where we rely on legitimate interest as a legal ground, we will always seek to maintain a balance between our legitimate business interests as described below and your privacy.
Human resources and personnel management. This purpose includes processing of employee personal data that is necessary for the performance of your employment or other contract, or for managing the employment-at-will relationship, including management and administration of recruiting and outplacement, employability, leave and other absences, compensation and benefits (including pensions), payments, tax issues, career and talent development, performance evaluations, training, travel and expenses, and employee communications.
The legal grounds for these processing activities are:
- that the processing is necessary for the performance of your employment contract;
- compliance with a legal obligation to which Arcadis is subject to; or
- our legitimate interest.
Business process execution and internal management. This purpose addresses activities such as: scheduling work; recording time; managing company and employee assets; provision of central processing facilities for efficiency purposes; conducting audits and investigations; reviewing and monitoring compliance with internal policies and procedures; implementing business controls; managing and using employee directories; archive and insurance purposes; legal or business consulting and; preventing, preparing for or engaging in dispute resolution.
From time to time, we may be share your personal data with customers or their advisors for customer project control or audit purposes. This may happen with customers or advisors from a different jurisdiction if you are participating in an overseas project.
The legal grounds for these processing activities are:
- compliance with a legal obligation to which Arcadis is subject; or
- our legitimate interest
Health, safety, security and integrity. This purpose addresses activities such as those involving the protection of the interests of Arcadis and its employees and clients, including the pre- and in- employment screening and monitoring of employees and logging usage of company systems and equipment, occupational safety and health, the protection of company and employee and customer assets, and the authentication of employee status and access rights.
The legal grounds for these processing activities are:
- compliance with a legal obligation to which Arcadis is subject; or
- our legitimate interest.
Organizational analysis and development, management reporting, acquisitions and divestures. This purpose addresses activities such as conducting employee surveys, managing mergers, acquisitions and divestitures, and processing employee personal data for management reporting and analysis.
The legal ground for these processing activities is our legitimate interest.
Compliance with laws. This purpose addresses the processing of employee personal data as necessary for compliance and the performance of a task carried out to comply with a legal obligation to which Arcadis is subject including the disclosure of employee personal data to government institutions or supervisory authorities in relation thereto.
The legal ground for these processing activities is compliance with a legal obligation to which Arcadis is subject.
Protecting vital interests of employees. This is where processing is necessary to protect the vital interests of an employee.
The legal ground for these processing activities is protection of the vital interests of an individual.
4. Categories of personal data
The below overview contains the categories of personal data as processed by Arcadis in the course of your employment relationship. If Arcadis processes other categories of personal data than as listed below, you will be informed of this separately where required.
- Personal details (e.g., name, employee number, contact details incl. home address, language(s) spoken, gender, date of birth, social security number, marital/civil status, emergency contact information, nationality and employment status).
- Position (e.g., positions, title, corporate status, management category, location, status and type, full-time/part-time, terms of employment, work history, hire/re-hire and termination date(s) and reason, length of service, retirement eligibility, promotions and disciplinary records).
- Compensation and payroll (e.g., salary, bonus, benefits, compensation type, salary level, equity plans and other awards, currency, pay frequency, effective date of compensation, salary reviews, banking details, working time records, travel and other business expenses, termination date and life assurance beneficiaries).
- Immigration status (e.g., citizenship, passport data and identity card data and details of residency or work permit).
- Talent management information (e.g., details contained in letters of application and CVs, ratings, development programs, e-learning, performance and development reviews, driver’s license, and information used to populate employee biographies).
- Management records (e.g., details of any shares of common stock or directorships).
- System and application access data (e.g., information required to access company systems and applications such as active directory, email address, employee ID, other system and application user IDs and passwords, usage of company systems, electronic content produced using company systems and incidents response data).
5. Sensitive personal data
In the course of your employment relationship, Arcadis may need to collect certain data which is viewed as ‘sensitive’ because it reveals intimate characteristics, such as religion, race or ethnicity, trade union membership, sexual preference, criminal behavior and health. This may take place for instance for corporate reporting purposes. Such sensitive data shall be used by Arcadis only within the strict limits set out by applicable local law and may include the sensitive data and processing purposes listed below. If Arcadis processes other categories of sensitive personal data or processes such data for other purposes, you will be informed of this separately.
Where required, your explicit consent will be sought before the processing of sensitive personal data takes place. Other legal grounds on the basis of which Arcadis may process the sensitive personal data as described above are:
- the performance of your employment contract;
- the legitimate interest of Arcadis to protect its rights, interests and assets and the rights, interests and assets of its employees, clients, suppliers and business partners;
- the legitimate interest of Arcadis to conduct good employer relationship;
- the legitimate interest of Arcadis to establish, exercise or defense a legal claim;
- protection of your vital interest (e.g. in an emergency); or
- compliance with a legal obligation of which Arcadis is subject.
6. Personal data access
Access to your personal data is only authorized to the extent such access is necessary to serve the intended purpose and for the respective staff to perform their job. Staff that are authorized within Arcadis to access your personal data may include your managers and their designees, and personnel in the People organization, Legal, Technology, Finance and Reporting and Internal Audit. All personnel within Arcadis will generally have access to your business contact information such as name, position, telephone number, postal address and email address.
From time to time, Arcadis may need to make personal data available to other unaffiliated third parties, such as: service providers (companies that provide products and services to Arcadis such as payroll, pension scheme and benefits providers, IT systems suppliers, travel services, performance management, surveys, training, expense management or credit card companies, medical/health practitioners and background check agencies); professional advisors (such as accountants, auditors, or lawyers); public and governmental authorities (entities that regulate or have jurisdiction over Arcadis such as regulatory authorities, law enforcement, public bodies and judicial bodies); clients or their advisors or; in the context of corporate transactions (a third party in connection with any proposed or actual reorganization, merger or sale). Arcadis will put in place agreements with third party service providers and professional advisors to protect your personal data.
Due to the global nature of Arcadis’ operations, we may need to disclose personal data to personnel, departments and clients and their advisers in other countries. Some of the unaffiliated third parties may also be located outside your home jurisdiction.
7. Monitoring
All activities on Arcadis IT equipment and/or when connected to the Arcadis IT network may be monitored for legitimate business purposes.
Arcadis staff may receive an access badge which allows Arcadis to record the data, time and access points made by individuals within Arcadis premises and assets. The data from the access and security systems are used:
- for health, safety and security purposes, to prevent fraud and specifically the protection of Arcadis assets, Arcadis staff and visitors to Arcadis premises;
- to comply with legal and regulatory requirements; and
- to monitor (on an aggregated basis) the number of individuals entering or working in an Arcadis premise for human resources or real estate planning.
8. Transfer of personal data
Where your personal data is transferred to companies outside your country, we will take organisational, contractual and legal steps to ensure that your personal data is processed only for the purposes described above and that an adequate level of protection has been implemented to safeguard your personal data.
Where such international data transfer takes place to a country that has a different data protection regime, Arcadis will ensure that the international data transfer will not negatively affect the level of protection of your personal data. Where required, Arcadis will inform you of any additional details on the international data transfer.
In case you are based in the European Economic Area (EEA) and the recipient of your personal data as described in this clause is based outside the EEA in a country that is not considered to have an adequate level of data protection, Arcadis will ensure that this transfer is based on appropriate safeguards to protect the personal data, including EU Model Clauses or Binding Corporate Rules. Information on such safeguards can be obtained via Chief Privacy Officer or your local Privacy Officer.
9. Security and Integrity
Arcadis will take appropriate technical, physical and organizational measures to protect personal data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure acquisition or access, that are consistent with applicable privacy and data security laws and regulations. This will include requiring service providers to use appropriate measures to protect the confidentiality and security of personal data.
10. Data Retention
Arcadis will take reasonable steps to ensure that personal data processed are relevant for their intended use, and are accurate, complete and kept up to date for carrying out the purposes described in this Notice.
In general, Arcadis will keep your personal data for the duration of the employment contract.
After termination of your employment contract, Arcadis will retain your personal data for a certain fixed period of time as required by law, which may vary from country to country and is determined in accordance with local legal and professional retention obligations (see the privacy notice on your local website).
If we have another urgent interest (e.g. in the event of an ongoing or anticipated legal dispute), the personal data may also be stored for longer.
11. Individual rights and complaints
We aim to keep our information as accurate as possible. You can:
- request access to your personal data
- request correction or deletion of the personal data (but only where they are no longer required for a legitimate business reason)
- request that the processing of your personal data is restricted
- withdraw consent to the processing of your personal data where the processing is based on consent.
You can exercise your rights by contacting your local Privacy Officer. Arcadis will perform your request in accordance with local law as applicable to you. Please note, that requests that do not meet the requirements set out by applicable law or Arcadis guidelines may be requested to be re-issued or ultimately denied and that certain personal data may be exempt from such access, correction and deletion requests pursuant to applicable data protection laws or other laws and regulations.
For data protection or privacy related issues, queries or complaints regarding the processing of your personal data, please refer to the relevant Privacy notice of your location or alternatively you can contact privacy@arcadis.com.
If you are unsatisfied with the handling of your personal data by Arcadis, you have the right to lodge a complaint to your local data protection authority (if there is one) or the Dutch Data Protection Authority whose address is Prins Clauslaan 60, 2595 AJ The Hague, The Netherlands.
12. Lovinklaan
Lovinklaan (www.lovinklaan.nl) offers its programs together with Arcadis N.V. Lovinklaan and Arcadis N.V., are jointly responsible for the processing of your personal data in relation to the Lovinklaan programs. We have determined our respective responsibilities for compliance with the obligations under applicable privacy legislation for processing your personal data in relation to the Lovinklaan programs by means of an arrangement between Arcadis N.V. and Lovinklaan.
In summary, we have arranged that if you want to exercise your rights or if you have any questions or complaints about the processing of your personal data in scope of the Lovinklaan programs, you can contact Arcadis N.V. in accordance with clause 10 of this Notice. Lovinklaan will assist Arcadis N.V. where necessary to ensure that you can exercise your rights and that your questions and complaints will be handled.
For other details of the processing of your personal data in scope of the Lovinklaan programs, please refer to the Lovinklaan privacy notice which can be found on Lovinklaan website, see above.