Privacy / Data Protection policy
Company registration details and Group
Mott MacDonald Group Limited, a company registered in England under number 1110949 ("we", "us", "our")
Registered office: Mott MacDonald House, 8-10 Sydenham Road, Croydon, Surrey CR0 2EE United Kingdom
We, and our affiliated Group companies worldwide, are committed to respecting your privacy and recognise your need for appropriate protection and management of any personally identifiable information ("personal data") you share with us.
The Group has established this Policy so that you can understand the care with which we intend to treat your personal data.
The Group strives to comply with all applicable laws around the globe that are designed to protect your privacy, based on this Policy as a standard. Although legal requirements may vary from country to country, the Group intends to adhere to the principles set out in this Policy even if, in connection with the above, we transfer your personal data from your country to countries outside of the EEA that may not require a high level of protection for your personal data.
This Policy describes how we collect and process personal data by persons who provide us with their personal data, whether through our website (https://www.mottmac.com/) or otherwise interacting with us, as set out below.
This Policy applies to individuals who use any of our websites, as well as to those individuals that use, complete or enter into any database, software, questionnaire, form, survey, services, agreement or other document that hyperlinks to this Policy.
How to contact us
If you have any questions regarding your personal data and how we may use it, including any queries relating to this Policy, please contact us at email@example.com or writing to the “Data Protection Officer” at the address noted above.
From 25 May 2018, our data processing activities will be governed by the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPRs"). For the purpose of the GDPRs, we are the 'Data Controller' of all personal data obtained by us as set out in this Policy, because we ultimately determine how your personal data will be handled by us or our sub-contractors, who would be our 'Data Processors'.
If we handle your personal data then you are a "Data Subject". This means you have certain rights under the GDPRs in relation to how your personal data is processed, which are set out in this Policy.
'Personal data' is any information that can be used to identify you, including your name, e-mail address, IP address, or any other data that could reveal your physical, physiological, generic, mental, economic, cultural or social identity.
'Special category data' means information about you that is sensitive and includes your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
Personal data that we collect in
relation to you
The personal data that we collect may include (but is not limited to):
- Your name.
- Your e-mail address and contact information.
- Your internet protocol address or other online identifiers.
- Location data.
- Genetic identity factors.
- Pseudonymous data.
- Event attendance and dietary requirements.
How we collect your personal data
If you contact us (by telephone, e-mail, instant messenger or voice over IP) we will collect your personal data and process it in accordance with the processes outlined in this Policy, including our Privacy Principles and the basis for processing your personal data. This may include discussing matters with you in relation to an enquiry about our services or a contract that we may enter into with you, or because you have subscribed to our newsletter or request a publication from us.
We may collect personal data:
- that you provide directly to us through questionnaires, forms, surveys or other documents that hyperlink to this Policy;
- about you from use of CCTV which may be in operation at our offices, or those offices where we provide our services. Any personal data collected from use of CCTV will be used by us for the purposes of ensuring the safety and security of our staff or those people coming onto our premises, or the premises where we provide our services. Such CCTV will be retained for as long as is necessary to ensure there are no issues relating to safety and security that need to be addressed and then only for so long as needed to deal with such issues. If there are no issues to address, then such footage shall be kept for no longer than we believe is reasonably necessary.
How we use your information
This Policy tells you what to expect when we collect your personal data.
We will only process your personal data if we have a legal basis for doing so, as outlined in this Policy or as notified to you at the time we collect your personal data, and for the purposes for which it was collected for, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you prior to commencing that processing and we will explain the legal basis which allows us to do this. Please note that we may process your personal data without your knowledge or consent, where this is required or permitted by law.
Your personal data may be shared in accordance with our principles on transfers to third parties as set out later in this Policy, including (but not limited to) the following:
- any member of our Group, including our subsidiaries or holding companies;
- third parties where we are under a duty to disclose your personal data to comply with any legal obligation, or to appropriate regulators or other law enforcement organisations;
- third parties to whom we choose to sell, transfer, or merge parts of our business or our assets
- third party suppliers to us, including (for example) insurance providers, brokers, auditors and our IT providers.
If your personal data is to be shared with any other third parties, we will take steps to protect your personal data.
Where you provide us with special category data, we may use such data on an anonymised basis for the purposes of monitoring and producing anonymised reports, including for the purposes of our reporting on equality, diversity and inclusion. However, we shall obtain your consent for such processing.
On what basis we process your personal data.
We are not allowed to process your personal data unless we have a legal basis for doing so.
There are four main legal bases that we rely on when it comes to processing someone’s personal data. These are:
(1) “Legitimate interest” – this is where we need to process your personal data, for example, if we need to contact you because you have raised a general query with us or where we are in contact with you about this or similar issues, or, in terms of your IP address and any information gathered via “Cookies”, to aid your use and navigation of our website (https://www.mottmac.com) or any microsites or Mott MacDonald links on our web. We may also have a legitimate interest to contact you about services that may be of interest to you as part of our marketing campaigns, in accordance with this Policy.
(2) “Necessary for performing a contract” – this is where if we are in a contract with you (or about to enter into a contract with you and you have requested certain pre-contract details) and we need to use your personal details to complete this contract – for example, we might need to use your e-mail address to communicate with you, which would count as processing your personal data.
(3) “Consent” – this is where we set out specific circumstances where we want to process your personal data and request your consent for this. We will make sure that your consent is explicit. We will usually ask you to tick a box (or similar) to confirm that you have provided your consent. For example, unless we have a legitimate interest to contact you about our services that we would like to market to you, then we would obtain your consent to market to you in the alternative. If you have any questions about the specific circumstances please contact our Data Protection Officer (details above). Please note that you can withdraw your consent at any point by contacting our Data Protection Officer for further information at firstname.lastname@example.org.
(4) “Compliance with a legal obligation” – this is where we might need to process your personal data in order to comply with a common law or statutory obligation, such as disclosures for compliance with HMRC requirements, requirements relating to money laundering or other such disclosures. We will only process your personal data for this reason if it is necessary and we would not otherwise be able to comply with that legal obligation without such processing.
Marketing: As mentioned above, we may market to you on the basis that we have legitimate interests to market our business and we may have identified the organisation that you work for as a business that we would like to market to. We will therefore rely on legitimate interests as our legal basis for processing your personal data that may be connected to your organisation’s contact records for this purpose, however we will balance this against your rights as a data subject and will no longer market to you if you wish to unsubscribe from receiving such marketing communications directly to your contact details. Alternatively, where we do not have a legitimate interest to market to you, then we will seek your consent to do so, which will then be our legal basis for contacting you in that way.
Our Privacy Principles
- Notice about what we do with your data
- Choice on providing us with your personal data
- Access and accuracy of your data
- Third party services / processing
- International transfers
- How we decide how long to retain your personal data
- Automated decision making
- Your rights as a data subject
- Children’s privacy
We will only process your personal data in accordance with notices set out in this Policy, or as provided to you at the time we collect your personal data (if necessary for the intended processing).
If you choose not to provide the personal data we request, you can still visit the Group’s websites, but you may be unable to access certain services that involve our interaction with you.
If you chose to have a relationship with the Group, such as a contractual or other business relationship or partnership, we will naturally continue to contact you in connection with that business relationship, in accordance with this Policy and any additional contractual terms agreed with you.
To the extent that you do provide us with personal data, we wish to maintain accurate personal data. Where we collect personal data from you, we want to provide a means for you to contact us should you need to update or correct that information. If for any reason those means are unavailable or inaccessible, you may send updates and corrections about your personal data to email@example.com and we will incorporate the changes to your personal data that we hold and try to do so as soon as practicable.
Third parties provide certain services available on our behalf. We may provide personal data that we have collected on the website to third party service providers to help us deliver programmes, products, information, and services. Service providers are also an important means by which the Group maintains its website and mailing lists.
Where we provide your personal data to third parties who are acting on our behalf (known as “Data Processors”) we will have in place a written agreement with each third party confirming on what basis the third party will handle your personal data and will ensure that there are sufficient safeguards and processes in place to protect your personal data.
The third parties that we may send your personal data to are either within the European Economic Area (“EEA”), Group companies under the protection of our Binding Corporate Rules, or third parties where other suitable protection mechanism as laid out in the GDPRs are available (see section 5 below).
We are part of a global group of companies with offices in locations in the UK, Europe and countries such as India, USA, Australia and China.
From time to time we may transfer your personal data from within the EEA to our offices outside of the EEA, such as those listed above. To ensure that your personal data will be adequately handled in such circumstances, we will have put in place “binding corporate rules” by the implementation date of the GDPRs for our group companies to comply with. “Binding corporate rules” set out rules by which all of our group companies have to abide and these rules set out that your personal data will be handled in a way that matches the GDPRs so that where your personal data is being transferred to one of our global companies it will be processed in line with our EEA-based companies, regardless of which country they are in (even if they are outside of the EEA).
Separate to the above, we may also transfer your personal data to countries outside of the EEA to other people or companies for one of the legal bases for processing your personal data as indicated above. Where we do so, we will put in place safeguards in accordance with applicable law (including Articles 44 to 50 of the GDPR). These safeguards may include taking steps to check that for any country or international organisation to which your personal data will be been transferred offers an adequate level of protection to protect your personal data, as well as (if applicable) the use of EU Model Clauses in any contract with that third party for steps to be taken to keep your personal data secure.
We cannot definitively set out how long we will retain all personal data in this Policy – this is a general notice that deals with different personal data collected for a variety of reasons. However, we decide how long we will retain your personal data based on the following factors:
- If we are performing a contract for you – for the length of that contract and for approximately 15 years afterward to deal with any post-contract issues.
- If you are in contact with us – we will retain your personal data as long as it is necessary for us to conclude the relevant correspondence with you.
- Whether we think there is a likelihood of you contacting us again in the near future or if we think we need to contact you again, provided that the legal basis (see above) for doing so still exists, for no longer than is necessary in respect of that legal basis.
We may introduce various technologies that may make an automated decision which uses your personal data to reach a specific decision. If we intend to use such automated decision making technologies, you will be told at the time we wish to introduce such technologies and we will obtain your consent to such use and processing of your personal data.
You have the following rights in relation to your personal data:
- The right to be informed - this is information on for what purpose we are processing it and what personal data we are processing.
- The right of access - you have the right to be provided with copies of the personal data of you that we are processing as well as confirmation of the processing we are doing. You can do this by sending a "subject access request" to the contact details noted above for our consideration.
- The right to rectification - if you think the personal data that we hold on you is inaccurate or incomplete you can tell us and we will fix it.
- The right to erasure (also known as the right to be forgotten) - if you want us to permanently delete the personal data we hold for you then you can ask us to do so.
- The right to restrict processing - if you do not like how we are using your personal data then you can let us know and we will stop processing it in that way.
- The right to data portability - if you want us to pass on your personal data to someone else then please let us know. This transfer should not affect the integrity or otherwise damage your personal data.
- The right to withdraw your consent - you can withdraw your consent for us to process your personal data (if we have relied on your consent to process your personal data) at any time by contacting us. If we have relied only on your consent as the basis to process your personal data then we will stop processing your personal data at the point you withdraw your consent. Please note that if we can also rely on other bases to process your personal data aside from consent then we may do so even if you have withdrawn your consent for different purposes under that different legal basis.
- Rights in relation to automated decision making and profiling - if we use either automated decision making or profiling then you have a right to know. Also, we will seek your consent if either of these are used to make a decision that affects you. As with all consent, you can withdraw it at any time.
To exercise any of your rights, please contact our Data Protection Officer at firstname.lastname@example.org. In addition to the above, as a data subject you can file a complaint with your local data protection authority within the EEA if you are not happy with how we are processing your personal data. Please note that you can use whichever local data protection authority within the EEA that is most convenient for you.
Where you request your right to request access to the personal data we process about you, you will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We will try to respond to all legitimate access requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
None of our websites or microsites are structured to necessarily attract children. Accordingly, we do not intend to collect personal data from anyone we know to be under 16 years of age.
Although our services are not targeted at children, there may be some incidental collection of personal data relating to children that takes place as part of our service offering, or in respect of our staff arrangements. If we know or suspect we are going to handle personal data in relation to children and are relying on consent to do so, then we will obtain consent from a parent or guardian of the relevant child before handling that child's personal data.
Visitors to our websites
When someone visits www.mottmac.com our main corporate website or any of our related Microsites we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting any of our websites. We will not associate any data gathered from these sites with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will make it clear when we collect it and explain what we intend to do with it.
Our Group websites contain links to external websites. Please note that we are not responsible for the privacy practices of any websites other than our own.
Remember the Risks Whenever You Use the Internet: While we do our best to protect your personal data, we cannot guarantee the security of any information that you transmit to us and you are solely responsible for maintaining the secrecy of any passwords or other account information.
We would like to place cookies on your computer to help us make your use of our website better. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Just so you know, the main cookies on your site are from Google Analytics tracking and there's also a session cookie generated by our website that is essential to the running of the website but holds no personal data.
Please see our Cookies Policy for further details about the cookies we use.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
Other tracking technologies: Some of our website pages utilize cookies and other tracking technologies. A cookie is a small text file that may be used, for example, to collect information about website activity. Some cookies and other technologies may serve to recall personal data previously indicated by a website user. Most browsers allow you to control cookies, including whether or not to accept them and how to remove them.
You may set most browsers to notify you if you receive a cookie, or you may choose to block cookies with your browser, but please note that if you choose to erase or block your cookies, you will need to re-enter your details to gain access to certain parts of the website.
We may also analyse information that does not contain personal data for trends and statistics.
Where personal data is sent from our website about visitors to our website, this is secured by encryption using the latest protocols and working methods to keep such data secure.
Changes to this Policy
As and when necessary, changes to this Policy will be posted on our website. Where changes are significant, we may also email you and where required by law, we will obtain your consent to these changes.