|
GLOBAL PRIVACY POLICY
NOVEMBER 2021
APPROVED BY THE BOARD OF DIRECTORS IN NOVEMBER 2021
WSP Global Inc. and its subsidiaries (collectively “WSP”, “we”, “our” or “us”, and each a “WSP entity”) collects and uses Personal Information which relates to employees (current, former and retired), independent contractors other persons subject to a current or former employment-type relationship with WSP, clients, business partners and other individuals including website users and job applicants (“Data Subject(s)”).
This Global Privacy Policy (“Privacy Policy”) sets forth general principles (“Privacy Principles”) applied by WSP when handling Personal Information and is to be read together with the Code of Conduct (the “Code”). WSP collects and processes Personal Information in compliance with this Privacy Policy, the Code, applicable data protection and privacy laws, and other WSP internal policies as amended and updated from time to time.
A list of defined terms, including the definitions of Personal Information and Sensitive Personal Information, is included in the Glossary at the end of this Privacy Policy.
This Privacy Policy applies to WSP and to each WSP entity’s respective personnel, employees, independent contractors and other persons subject to an employment-type relationship with WSP (such as contractors, agency workers, consultants) (“Employees”, “you” or “your”). All business areas, departments and functions are responsible for ensuring that all Employees comply with this Privacy Policy.
WSP acknowledges that some WSP entities may need to adopt supplemental privacy or data protection policies, localised variances, guidelines, procedures, or contracting standards based on the nature of their services, clients’ requirements, or to comply with local laws. Where a more stringent privacy or data protection standard or requirement is mandated, the respective WSP entity subject to that mandate and their respective Employees, must comply with the more stringent requirement. Where there is a conflict between the requirements of a supplemental policy, localised variance, guideline, procedure, or contracting standard and the requirements of this Privacy Policy, the higher level of data protection applies.
WSP collects and processes Personal Information of the types described below, or relating to the particular categories of individuals described below, in accordance with the Privacy Principles set out in this Privacy Policy:
Employment Data: This includes Personal Information collected and used for Human Resources and employment processes from current and prospective Employees, former and retired Employees, and the dependents and beneficiairies of current, former and retired Employees. It may also include other Personal Information relevant to the employment or employment type relationship with WSP that may be collected from third parties, such as background checks, professional standing or status as a union representative.
Client Data: This includes Personal Information received from clients and prospective clients in relation to their employees and accounts, as well as in relation to services or activities they deliver to end-users in which, for instance, WSP hosts or accesses client-owned or controlled data and supports those services or activities for or on behalf of its clients.
Business Partner Data: This refers to Personal Information of suppliers, agents and other business partners including contact information and other Personal Information received or accessed in the course of third party due diligence related to the services the business partner performs for WSP or its clients.
Contact Information: This includes Personal Information relating to an individual’s name, title, company affiliation, mailing address numbers, SMS text contact information, email address, and contact preferences.
WSP collects and processes other information such as anonymized, de-identified and aggregate data that does not identify a Data Subject. Such information is not subject to any obligations under data protection and privacy laws.
Local data protection or privacy laws applicable to some WSP entities may exclude certain types of information (such as business contact information) from the scope of those laws in which case the definition of Personal Information under this Privacy Policy with respect to those WSP entities shall be read as subject to any such exclusions.
The following principles guide WSP’s actions and decisions, as well as those of its Employees, when collecting, processing and transferring Personal Information.
WSP and its Employees are required to collect, process and transfer Personal Information in accordance with this Privacy Policy and all applicable local data protection and privacy laws and regulations.
WSP ensures Data Subjects receive appropriately detailed information regarding the Processing of their Personal Information. Notice is provided to Employees through the Employee Privacy Notice available on the WSP intranet (“Employee Privacy Notice”) and to other Data Subjects through the External Privacy Policy on WSP’s websites (“External Privacy Policy”).
Some WSP entities provide separate or supplemental privacy notices to Employees of that WSP entity and other individuals in relation to whom Personal Information is processed by that WSP entity as required by applicable law and business requirements. To ensure that Processing of Personal Information is carried out lawfully, WSP processes Personal Information under the following circumstances, unless otherwise authorized by law:
|
PERSONAL INFORMATION |
SENSITIVE PERSONAL INFORMATION |
|
|
|
|
The Employee Privacy Notice, the External Privacy Policy and any privacy notices and policies issued to Data Subjects by certain WSP entities from time to time set out the uses for which WSP processes Personal Information and Sensitive Personal Information and the applicable legal grounds.
WSP only obtains and collects Personal Information for specified, explicit and legitimate purposes as detailed in the Employee Privacy Notice, the External Privacy Policy, any other privacy notices and policies issued to Data Subjects by certain WSP entities from time to time or as otherwise authorized by law. Once Personal Information has been obtained for a particular purpose, WSP will not use it for a different and incompatible purpose, unless as authorized by, and except in accordance with, applicable law.
WSP verifies that the Personal Information it uses is adequate, relevant and not excessive for the purposes for which it was collected and processed. WSP limits the Personal Information collected to what is necessary for WSP to conduct its business activities, in accordance with applicable law. Each WSP entity with Employees processes employment-related Personal Information for the reasons outlined in the privacy notice issued to its respective Employees.
WSP works to ensure that the Personal Information it collects is accurate and periodically verifies that such data is kept up to date, where appropriate or required considering the circumstances and applicable law.
WSP does not retain Personal Information for longer than necessary to the business purposes for the Processing, taking into consideration the means by which the Personal Information was obtained and any legal, contractual, or regulatory obligations to which WSP is subject.
In accordance with the Privacy Principles articulated in this Privacy Policy and in line with WSP’s global governance and internal controls as described in the Global Information Security Policy role based access controls to Personal Information must be used to apply the principle of “least privilege” such that access privileges will only be granted to the level required by the user’s role to perform their job duties. Employees who have access to Personal
Information are required to comply with this Privacy Policy and to only use, access or process such information for purposes directly related to their WSP responsibilities.
WSP does not disclose Personal Information except in the circumstances set out in this Privacy Policy, unless as required or otherwise permitted by applicable law.
WSP transfers Personal Information, including, at times, Sensitive Personal Information, where necessary to
conduct WSP’s business activities, to comply with laws or as otherwise authorized by law.
WSP transfers Personal Information between WSP entities and to third parties (which may include clients, service providers and business partners), in compliance with applicable laws and requirements (including any cross border transfer restrictions), and only where the transfer is based on a clear business need. WSP requires appropriate assurances from third parties when outsourcing the Processing of Personal Information.
See also: GDPR Annex.
Personal Information must be processed securely using appropriate security measures.
Appropriate technical controls are described in the Global Technical Security Policy which may include role based access controls, password requirements, approved encryption technologies, and physical security controls and measures as identified in the Global Physical Security Policy such as physical access controls, locks and key controls to ensure the protection of Personal Information.
In addition, all Personal Information should be classified, handled, held and disclosed only in accordance with the Global Information Classification and Handling Policy.
Where a third party provides outsourced or cloud IT services or otherwise processes Personal Information on WSP’s behalf, specific security arrangements will be implemented, when required, through contractual arrangements with those organizations. Appropriate third-party due diligence must be carried out to assess whether a third party maintains security practices consistent with WSP’s standards. A method statement describing the risk assessment that must be taken to select a third party to provide an outsourced or cloud computing service is set out in the Global Cloud Services and Application Development Policy.
You must report actual or potential data breaches in accordance with the Global Information Security Incident Management Policy as soon as you become aware of the respective incident. This allows us to investigate and take remedial steps if necessary and make any required notifications to supervisory authorities and affected individuals and organizations where legally required to do so.
All Data Subject requests for access, changes to, or information pertaining to the Personal Information held by WSP will be handled in accordance with WSP’s Data Subject Request Procedures. WSP will comply with valid Data Subject rights and any Employee who receives an information request or other request to exercise a data protection right must immediately forward such request to the WSP Privacy Office.
See also: GDPR Annex
Where required by law, WSP will not send direct marketing material electronically (e.g. via email or SMS) unless it has first obtained express consent or has an existing business relationship with the recipient in relation to the services being marketed, and will provide opportunity to opt out. In addition, WSP shall abide by valid requests from Data Subjects to not use their Personal Information for direct marketing purposes and will unsubscribe recipients from receiving direct marketing emails in a timely manner following such a request.
WSP will publish a copy of this Privacy Policy on the Global intranet page and each WSP entity will communicate it to their respective Employees. WSP will raise awareness across the organisation of privacy and associated policies and procedures. Where specific training needs for roles or functions with key data protection responsibilities are identified supplemental training will be provided. All Employees must undertake and complete all mandatory privacy related training.
WSP, through its Privacy Office, any DPO for the respective WSP entity, and in collaboration with the respective WSP entity’s legal department, shall co-operate with and respond to any inquiry, inspection or investigation of a data protection supervisory authority to which it is subject. Where a data protection supervisory authority is authorized by law to audit any WSP entity that is subject to its jurisdiction and is empowered to advise on matters related to this Privacy Policy, such WSP entity must follow any advice given in that regard, unless it conflicts with other overriding local legal or regulatory requirements to which the WSP entity is bound.
Where a WSP entity believes that a conflict with applicable laws prevents it from fulfilling its duties under this Privacy Policy, including following the advice of an applicable data protection supervisory authority, the entity will notify the Privacy Office.
WSP is responsible for and must be able to demonstrate compliance with the Privacy Principles referred to in this Privacy Policy and applicable privacy and data protection laws. WSP will monitor and enforce compliance with this Privacy Policy, WSP policies referred to in this Privacy Policy and applicable privacy and data protection laws for assurance that our Processing of Personal Information is compliant with those policies. These policies will be produced to supervisory authorities on request.
Breaches of this Privacy Policy could give rise to financial and reputational losses for WSP. Local laws in the jurisdictions in which WSP operates may also result in criminal sanctions and civil penalties for a breach of those laws, which can involve personal liability. Employees who violate this Privacy Policy or applicable laws may be subject to appropriate disciplinary action, as set out in the Code and as authorized by law.
In the event of a conflict between this Privacy Policy and any local privacy or data protection laws and regulations applicable to WSP in any jurisdiction then the most stringent requirements must be applied.
Under this Privacy Policy, the Code, and applicable law, there are several ways to raise complaints or concerns regarding compliance with this Privacy Policy or applicable privacy laws. Reports can be made in accordance with the reporting mechanism set out in the Code or on an anonymous basis through WSP's Whistleblowing Service, for which the contact details are available in the Code as well as on dedicated pages on WSP's web and intranet sites or directly by telephone or e-mail.
An alleged instance of non compliance with this Privacy Policy can also be raised to privacy@wsp.com, to a regional Privacy representative, a country DPO (if any) or local Human Resources Manager.
A response to any complaint made to WSP will be communicated within 30 business days of the complaint being made, unless otherwise required by law to be met sooner or unless circumstances, such as concurrent government investigations, require a longer period. In such a case, the requestor will be notified in writing as soon as practicable of the general nature of the circumstances contributing to the delay. In addition to the above, GDPR provides the right of Data Subjects in Europe to make a complaint to a data protection supervisory authority in particular in the member state in the European Union where they are habitually resident, where we are based or where an alleged infringement of data protection law has taken place. In the UK, Data Subjects can make a complaint to the Information Commissioner’s office. WSP shall co-operate as reasonably required by supervisory authorities.
The rights contained herein are in addition to and shall not prejudice any other rights or legal remedies that a Data Subject may otherwise have at law.
All Employees are responsible for complying with this Privacy Policy in particular by:
The local designated representatives of WSP’s Privacy Office.
The risks, in particular, to clients and WSP in the event of a data breach.
The implications and impact of breaches of privacy and data protection laws, such as heavy fines and penalties.
The GDPR, when it applies, and the obligations that it imposes.
The rights of European Data Subjects, and the WSP Data Subject Request Procedures.
When privacy due diligence and Data Protection Impact Assessments (“DPIAs”) should be carried out with third parties who access Personal Information, where required by law or applicable policies and procedures.
Personal Information is being handled in new or different ways (for example, using new or changing technologies, systems and processes) or where there may be specific areas of risk (for example, because those new and changing technologies, systems and processes will handle Sensitive Information).
You are planning on engaging in any new projects or initiatives that may involve the large scale Processing of Personal Information or the Processing of Sensitive Personal Information.
You receive any privacy or data protection related complaints.
You identify a need to amend or develop a privacy notice (so that the Privacy Office can help you ensure that an appropriate privacy notice is made available in compliance with applicable law).
You are engaged in an initiative involving any Personal Information being transferred from Europe to, or accessed by, individuals located outside Europe. See also GDPR Annex.
Ownership and responsibility for reviewing and updating this Privacy Policy rests with the Privacy Office. Material changes will be appropriately communicated to Employees.
The Global Privacy Program Charter is available on the WSP global intranet page. The Privacy Office, overseen by the Chief Ethics and Compliance Officer, is responsible for promoting, monitoring, and advising on privacy and data protection compliance and for assisting the organization with understanding its obligations. Employees can direct any questions about this Privacy Policy and compliance with applicable data protection and privacy laws and regulations to the Privacy Office: at privacy@wsp.com, directly to their regional or local privacy representatives, to their country DPO (if any) or local Human Resources Manager. Please see this page for global and regional privacy contact details.
|
Type of document |
Governing policy |
||||
|
Version |
Issuance Date |
Owner |
Approval for Board submission |
Board approval date |
Summary of changes |
|
1.0 |
May 2018 |
Julianna Fox Chief Ethics and Compliance Officer |
Steeve Robitaille Global CLO EVP M&A |
May 2018 |
|
|
2.0 |
August 2020 |
Julianna Fox Chief Ethics and Compliance Officer |
Philippe Fortier Global CLO |
27 July 2020 |
|
|
3.0 |
January 2022 |
Privacy Office |
Global Policy Approval Committee |
November 2021 |
Amendments for UK GDPR, inclusion of new policies, update for changes in law re: cross border transfers, new information on business practices |
Personal Data collected from or about European Data Subjects, or by a WSP entity established or within Europe must be collected and processed in accordance with European data protection laws, including the GDPR and other national data protection legislation across Europe.
WSP is committed to compliance with the GDPR and has set in place the appropriate technical and organizational measures to ensure that its responsibilities are met.
Defined terms for this section from the Glossary include Europe, European Data Subject, Processing, Processor and Controller. For the purpose of this GDPR Annex, “Personal Data” has the meaning given to the term in the GDPR.
With regard to Personal Data subject to GDPR, a WSP entity will be either a Controller or Processor of Personal Data and, in some instances, will be acting as both when performing different Processing activities both for itself and on behalf of another Controller.
Before undertaking any Processing activities with Personal Data, WSP establishes if the WSP entity processing the data is acting as a Controller or a Processor.
Where WSP and a third party jointly determine the purpose or share a common purpose for processing the Personal Data, the third party and WSP will likely be deemed to be joint Controllers.
When contracting with a Processor, specific contractual provisions must be in place.
When contracting with a Joint Controller, specific arrangements must be in place.
All contracts with third parties that contemplate the handling of Personal Data should be reviewed by the Legal department and, where appropriate, the Privacy Office.
Records of Processing activities regarding Personal Data must be maintained and held with the Privacy Office detailing:
the categories of Data Subjects whose Personal Data is processed
the types of Personal Data processed
the purposes of Processing
data flows between countries
the data transfer mechanism in place, where applicable
applicable data retention periods
GDPR requires that we implement privacy by design measures when Processing Personal Data by implementing appropriate technical and organisational measures (such as Pseudonymization) in an effective manner to ensure compliance. The measures implemented must be assessed by taking into account:
the state of the art
the cost of implementation
the nature, scope, context and purposes of the Processing; and
the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.
Controllers must also conduct DPIAs in respect to high-risk Processing (as defined by GDPR). WSP has integrated Privacy friendly systems and controls into its practices for:
Hiring and offboarding Employees
Collection of Personal Data
Collection of valid consent
Data breach incident response
Security risk assessments
Records retention
E-mail and direct marketing
Health and safety
Interactions with works councils
The monitoring of offices and Employees
Access and delegation of access to e-mail
E-discovery
Complaints and internal investigations
WSP has embedded Privacy into its business operations by maintaining procedures for:
Collection and use of Sensitive Personal Data
Third party and service provider contracting and due diligence
Conducting DPIAs before committing to a relevant project, contract, or process
Maintenance of data quality
Collection of valid consent
Secure handling (and destruction of) Personal Data
The UK GDPR and the EU GDPR restrict data transfers to countries outside Europe to ensure that the level of protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.
WSP is responsible for ensuring that transfers of Personal Data outside Europe (whether to other WSP entities or third parties (including service providers or clients)) are only conducted if (1) the transfer is based on a clear business need, the receiving entity has appropriate organizational and technical security measures in place and,
where one of the parties to the transfer is acting as Processor, appropriate contract terms are in place as required by Article 28 GDPR; and (2) the following requirements are met:
the receiving party, if a WSP entity, is party to the WSP Intra-Group Data Transfer Agreement (the “IGA”) and the respective transfer is in scope of the IGA as a Current Processor Transfer or Current Controller Transfer (as such terms are defined in the IGA): or
the receiving party is located in a country determined as providing an equivalent level of data protection and which is subject to an adequacy decision made by the European Commission (for Personal Data subject to the EU GDPR) or UK adequacy regulations (for Personal Data subject to the UK GDPR); or
where the receiving party is located in a country for which there is no adequacy decision or adequacy regulations in place (as referred to above) either (a) the transfer will be subject to “appropriate safeguards” (for example under standard contractual clauses (SCCs)) that provide Data Subjects of the transferred data the level of protection essentially equivalent to the GDPR; (b) the Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or (c) the transfer is necessary for one of the other reasons set out in the UK GDPR (for Personal Data subject to the UK GDPR) or EU GDPR (with respect to Personal Data subject to the EU GDPR).
The GDPR now requires Controllers to carry out a transfer impact assessment before relying on “appropriate safeguards” (as referred to above). You must contact the Privacy Office to carry out a transfer impact assessment. If the assessment is that the appropriate safeguards do not provide the required level of protection additional measures may need to be implemented.
In accordance with GDPR and applicable national data protection law, Data Subjects in Europe have the following rights, subject to applicable conditions and exceptions:
To be informed as to the way in which WSP processes their Personal Data.
To withdraw consent to Processing at any time.
To access the Personal Data WSP holds about them.
To request that WSP rectify inaccurate data or to complete incomplete data.
To request that Personal Data that WSP holds about them is erased if it is no longer necessary in relation to the purposes for which it was collected or Processed.
To request that WSP restrict the processing of that information.
To request that their Personal Data be transferred to a third party.
To object to the processing of Personal Data where WSP is relying on legitimate interest and the objection is to Processing on this ground. There is also a right to object to processing Personal Data for direct marketing purposes.
Rights in respect of Automated Decision Making.
To make a complaint to a supervisory authority (see “Complaints and Dispute Resolution” on page 8 of this
Privacy Policy).
To request a copy of an agreement under which Personal Data is transferred outside Europe.
To be notified of a Personal Data Breach which is likely to result in a high risk to their rights and freedoms.
The identity of an individual requesting the exercise of any Data Subject right must be verified before any Personal Data is disclosed. WSP will respond to valid requests in the timeframe required by applicable law.
Automated Decision-Making (ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual.
Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.
Controller: A Controller means any entity which determines the purposes and means of the Processing of Personal Information. Generally, a Controller will be an entity which makes any of the following decisions:
whether to collect Personal Information
which items of Personal Information to collect, i.e. the content of the data
the purpose(s) Personal Information is to be used for
which individuals to collect data about
whether to disclose the data, and if so, who to
whether Data Subjects can access or exercise other rights with respect to their Personal Information
how long to retain the data
Data Protection Impact Assessment (DPIA): tool used to identify, assess and mitigate risks of a data processing activity. Data Protection Impact Assessments should be conducted for all major system or business change programme involving the Processing of Personal Data and otherwise in accordance with local operating procedures applicable to any WSP entity.
Data Subject(s): A Data Subject is an identified or identifiable natural person, and can include WSP Employees, clients, business partners or other individuals. An identifiable individual is one who can be identified directly or indirectly from the Personal Information.
DPO: a data protection officer appointed by a WSP entity in a jurisdiction subject to the GDPR that requires their appointment under local law.
Employee(s): Employees may include, depending on the context, current, former and prospective employees, as well as independent contractors and other individuals subject to an employment-type relationship with WSP.
EU GDPR: The EU General Data Protection Regulation applicable in the EEA and Switzerland.
Europe: The EEA, UK and Switzerland.
European Data Subject: A European Data Subject is a Data Subject who is resident or otherwise based in Europe.
European Economic Area (EEA): means the European Union, Iceland, Lichtenstein and Norway.
GDPR: The EU GDPR and the UK GDPR
Explicit Consent: consent which requires a very clear and specific statement (not just action)
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or, or access to, Personal Data.
Personal Information: Personal Information (which may also be described as “Personal Data” in certain data protection laws, such as GDPR) is all information that relates to an identified or an identifiable Data Subject. In the event that the definition of Personal Information in this Privacy Policy is inconsistent with a definition of Personal Data, Personal Information, or similar concept under applicable privacy or data protection law, then the definition of such concept under applicable privacy or data protection law shall prevail solely to the extent of the inconsistency.
Processing: Processing is any operation or set of operations which is performed on Personal Information, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor: A Processor means any entity which processes Personal Information on behalf of a controller. Processors have limited scope to make any decisions regarding Personal Information and will only be processing Personal Information under very strict instructions of the controller. A Processor has the freedom to use its technical knowledge to decide how to carry out certain activities on the controller’s behalf, but it cannot take any of the overall decisions, for example what the Personal Information will be used for or what the content of the Personal Information is. Such decisions must only be taken by the controller. However, a controller may permit its Processor to decide:
what IT systems or other methods to use to collect Personal Information
the means to store Personal Information
the detail of the security surrounding Personal Information
the means used to transfer Personal Information from one organization to another
the means used to retrieve Personal Information
the method for ensuring a retention schedule is adhered to
the means used to delete or dispose of Personal Information.
Pseudonymization: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
Sensitive Personal Information: Sensitive Personal Information is a subset of Personal Information that contains either information about, or from which one can infer, a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data about physical or mental health or condition, genetic and biometric data, sex life, and criminal record data. Sensitive Personal Information includes special categories of Personal Data and Personal Data relating to criminal convictions and offences as described under the GDPR.
UK GDPR: the UK General Data Protection Regulation and the UK Data Protection Act 2018