This policy sets out the basis on which we will process any personal data we collect from you, or that you provide to us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it. For the purpose of applicable Data Protection Legislation, we are the data controller of the data that you provide to us. You can contact us by emailing us at firstname.lastname@example.org for general data protection enquiries, questions, isues, etc. and at GDPRrequests@louisberger.com for data subject access requests, i.e., requests from individuals to amend, view, or erase their personal data.
1How do we collect information?
1.1 We obtain information from our staff, our service providers, agencies/authorities and our service users during the normal course of our business.
1.2 We obtain information from potential business partners and business intermediaries through our due diligence check which is part of our procurement process.
1.3 We may collect information that is available in the public domain, including but not limited to: newspaper or online media items, publicly available posts on LinkedIn or social media or Companies House listings.
1.4 We obtain personal information from you when you enquire about our activities, register with us, send or receive an email, ask a question or otherwise provide us with personal information.
1.5 We may also receive information about you from third parties that introduce you to us, for example from our service providers or partner organisations who provides us with your information.
1.6 We may obtain information from you if you “like” our page on Facebook, follow us on Twitter or connect with us on LinkedIn ("social media platforms"). We would only have access to your information to the extent that you have made it public on those social media platforms.
1.7 We may obtain information from you if you contact our Compliance and Ethics office (via email, HELPLINE etc.) We may collect information which you voluntarily provide. If this includes special category information we will only use this with your consent.
2What information do we collect?
2.1 The personal information we collect includes but is not limited to: name, date of birth, email address, postal address, telephone number, the company you work for, associated projects and the industry in which you work.
2.3 For potential business partners and business intermediaries, advisors and professional experts, and other third party suppliers, the information we collect may include:
- Name and address.
- Position and details of your work history, including length of time in the business and countries where you operate, business contact details, email and telephone number.
- Shareholder information, percentage of shares ownership information and directors’ information.
- Other publicly available information as part of our due diligence checks.
- Disclosure of any history of criminal activities and details of any investigation, charges and convictions, and any anti-corruption proceedings taken against you.
- Passport qualifications, certificates, CV, reference letters, language capabilities, signature, registration/license for Chartered Institutes.
2.4 If you are a key employee or director of a Louis Berger client company or business partner, we collect information that may include special category data as part of our due diligence checks via the Securimate system.
3How do we use this information?
3.1 We will use your personal information:
3.1.1 to provide and promote our consultancy and advisory services;
3.1.2 for recruitment purposes;
3.1.3 for business development, i.e., bid proposals;
3.1.4 to provide you with products or information you have requested;
3.1.5 for direct marketing;
3.1.6 to maintain our own accounts and records;
3.1.8 for the purpose of anti-corruption and compliance review as part of our vetting activities and internal investigations.
3.2 We take appropriate measures to ensure that the personal information disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used.
4Our lawful basis for processing
We collect the information for the purposes set out above. The lawful basis on which the information is processed includes:
- Processing is necessary for the execution and/or performance of a contract to which you (or your employing company) are a party. If you fail to provide this information we may be unable to execute and/ or perform the contract.
- Processing is necessary for the purpose of the legitimate interest pursued by Louis Berger or a third party, except where your rights as a data subject override our legitimate interest. Our legitimate interest in this case is good management of the Louis Berger business.
- Your consent for processing special category data for the Compliance and Ethics Office.
- Where processing is not necessary for the above reasons, we only process your information with your consent, or as otherwise required or permitted by law.
5Who do we share our information with?
5.1 We may share your information with other members of the Louis Berger group, for the purposes listed above. This may require transfers of your information to other countries inside and outside the European Economic Area (EEA).
5.2 Such transfers are made as permitted by having an agreement in place with the recipient using the applicable Model Contract clauses as required by the European Commission (Data Transfer Agreement). Where no Model Contract is in place, we only make such transfers as expressly permitted under applicable data protection legislation, for example with your explicit consent.
5.4 We may also need to disclose your information to third parties if required by law (for example to government bodies and law enforcement agencies) or if we have your permission to do so.
5.5 We may with your consent share your information with third parties who request references from us.
6How long do we keep your information for?
We keep your information for no longer than is necessary. We will retain your information for any period required by law, for example for compliance in the UK with Her Majesty’s Revenue and Customs requirements. Where we are not under a legal obligation to retain your information, we will determine what is necessary by reference to the lawful basis for processing set out above and our legitimate interests.
If you have any questions about how long we keep your information, please contact us at the email address stated at the beginning of this document.
7How do we protect personal information?
We take appropriate technical and organisational measures to ensure that the information disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used.
8.1 You have a right to ask us to confirm whether we are processing information about you, and to request access to this information ("right of access").
8.2 You also have the right to be informed of the safeguards we have in place relating to any transfers of your information to another country or to an international organisation.
8.3 You may ask us, or we may ask you, to rectify information you or we think is inaccurate, and you may also ask us to remove information which is inaccurate or complete information which is incomplete ("right to rectification"). If you inform us that your personal data is inaccurate, we will inform relevant third parties with whom we have shared your data so they may update their own records.
8.4 You have a right to ask us to restrict our processing of your information ("right to restriction") if:
8.4.1 you contest its accuracy and we need to verify whether it is accurate;
8.4.2 the processing is unlawful and you ask us to restrict use of it instead of erasing it;
8.4.3 we no longer need the information for the purpose of processing, but you need it to establish or defend legal claims;
8.4.4 you have objected to processing of your information being necessary for the performance of a task carried out in the public interest, or for the purposes of our legitimate interests. The restriction would apply while we carry out a balancing act between your rights and our legitimate interests;
8.4.5 you exercise your right to restrict processing, we would still need to process your information for the purpose of exercising or defending legal claims, protecting the rights of another person or for public interest reasons.
8.5 You have a right to obtain your personal data from us and reuse it for your own purposes, perhaps for another service, without hindering the usability of the data ("right of portability"). This right does not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
8.6 You have a right to seek the erasure of your data (often referred to as the "right to be forgotten"). You may wish to exercise this right for any reason, for example where it is no longer necessary for us to continue holding or processing your personal data you may withdraw your consent. You should note that we are entitled to and reserve the right to retain your data for statistical purposes. This right is not absolute, as we may need to continue processing this information, for example, to comply with our legal obligations, or for reasons of public interest.
8.7 You have the right to lodge a complaint with a supervisory authority in your region.
8.8 If you wish to exercise these rights, contact us via email at: GDPRrequests@louisberger.com, as stated at the beginning of this Policy.
9.1 If your personal details change, please help us to keep your information up to date by notifying us via email at the above address. This does not affect any HR process or system already in place with regards to notification of any change in personal data.
If you are employed by or work for a Louis Berger entity outside the European Union, to the extent that information about you is processed by a Louis Berger entity within the European Union this policy applies to you in respect of that information only.
Information we process about you
A personnel file containing information about your work history with us and including (but not limited to) the following (the HR Data):
- your contact details, home address, personal email and telephone;
- your family and dependents, next of kin and emergency contact information;
- your date of birth and national insurance number;
- your CV and details relating to your recruitment, including all information provided by you on
the employee enrolment form; including qualifications, certificates, reference letters, language
capabilities, signature, registration/licence for Chartered Institutes;
- details of your employment history and employment contract (or contract for services, as
applicable), including date joined and information relating to termination of your employment;
- passport details, domicile and immigration status;
- your job title and id number;
- your photograph;
- geographical and location data;
- your business telephone and email address;
- working hours and attendance records;
- bank details;
- financial information, such as your salary, bonus and benefits;
- pension, third party payments and other deductions from salary;
- training records, including attestations, transcripts and reports;
- holiday and sickness absence records;
- medical information including doctors notes and self-certification;
- appraisal and performance records; and
- information relating to any disciplinary or grievance procedures, including the outcome of such procedures and, if applicable, warnings issued to you.
There may also be other information about you located within Louis Berger, for example in your line manager's inbox or desktop; with payroll; or within documents stored in a relevant filing system.
How we use your information
We may also use your personal information in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else's interests).
- Where it is needed in the public interest.
Where we rely on our legitimate interests, this is in the legitimate interest of conducting the business in accordance with good practice, and managing the relationship with you.
We only collect special category information to the extent necessary to comply with our employment law obligations or as otherwise permitted by law.
Berger Holdings Group, Inc. (BGH) is responsible for the hosting, support and maintenance of the IT Systems across the Louis Berger group of companies (the Group). All information, including HR data, stored electronically by Louis Berger is processed by BGH as a data controller in common with Louis Berger International, Inc. (LBI). The processing by the entities under LBI requires a transfer of personal data to the United States of America. The purpose of this transfer is to ensure the consistency and transparency of business practices across the Group, and to enable BGH to monitor, oversee and control and manage corporate information (including personal data) and how this is collected, used and protected across the Group on a worldwide basis. Transfers between LBI, its entities and BGH are made pursuant to the Data Transfer Agreement.
To ensure that Louis Berger project managers across the group are able to accurately assess labour costs and ensure the successful running of projects, certain personnel’s salary information may be accessible by their project manager, regional leads and project accountants via internal applications such as the Single Project Portal. The country in which this data shall be accessed and processed shall reflect the region in which the Louis Berger employee is placed and in which the project is located. Therefore, the project manager in that region, as well as regional leads shall have access to data such as labour costs affecting their project.
As a global professional services corporation, Louis Berger collects your CV for the purpose of bid/ proposal submissions. As part of this process, your CV is shared with potential clients and may be transferred to countries located outside the EEA.
Information relating to your employment, including promotions, disciplinary and grievance matters, are shared with appropriate senior management personnel across the Group via the Authority Matrix.
The Authority Matrix in particular requires a transfer of information outside the EEA. In accordance with the executed Data Transfer Agreement with all Louis Berger recipient entities we have ensured that the information is adequately protected in the hands of the recipient.
Other tools that Louis Berger uses which may store your personal data include: Costpoint, ProjectWise, and other internal applications.
We may share information about hours and salary with clients to the extent necessary for the client to manage, audit and review any project you are working on. Sharing this information with clients is necessary for the payment of our invoices. We do not identify employees by name in our invoices, but it is possible that you may be identifiable from such information.
Louis Berger may collect information relating to health or medical information, race/ethnic information, religious/philosophical beliefs, and gender ("sensitive personal data" or "special category information" for the purpose of data protection legislation) from staff for equal opportunities monitoring purposes. Where such information is collected, Louis Berger will anonymise it unless the purpose to which the information is put requires the full use of the individual's personal information. If the information is to be used, Louis Berger will inform employees on any monitoring questionnaire of the use to which the data will be put, the individuals or posts within Louis Berger who will have access to that information and the security measures that Louis Berger will put in place to ensure that there is no unauthorised
access to it.
We may process your information for administrative, legal, management and personnel purposes and for all purposes relating to your employment. We use third party processors to provide services, including IT and Payroll services, on behalf of Louis Berger. All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own
purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. Where our processors are based outside the EEA, we ensure that we fully comply with Article 28 of the EU GDPR.
Louis Berger will ensure that personal information about an employee, including information in personnel files, is securely retained. Louis Berger will keep hard copies of information in a locked filing cabinet. Information stored electronically will be subject to access controls and passwords and encryption software will be used where necessary.
Louis Berger provides training on data protection issues to all staff who handle personal information in the course of their duties at work. Louis Berger will continue to provide such staff with refresher training on a regular basis via the Berger Learn portal. Such staff are also required to have confidentiality clauses in their contracts of employment.
Louis Berger may monitor staff by various means including, but not limited to, recording staff activities on CCTV, and your use of equipment or services paid for by Louis Berger, whether directly or indirectly, including but not limited to email, telephone and internet systems in accordance with our IT Policies. We may use the results of such monitoring in disciplinary proceedings.
Where practical, Louis Berger will inform staff that monitoring is taking place, how data is being collected, how the data will be securely processed and the purpose for which the data will be used. The employee will usually be entitled to be given any data that has been collected about him/her. Louis Berger will not retain such data for any longer than is absolutely necessary.
In exceptional circumstances, Louis Berger may use monitoring covertly. This may be appropriate where there is, or could potentially be, damage caused to Louis Berger by the activity being monitored (for example, where an employee is suspected of stealing property belonging to Louis Berger or a third party, or misusing Louis Berger systems or resources or is engaged in fraudulent or criminal activity) and where it is not practical to procure the information by non-intrusive means.
Covert monitoring will take place only in accordance with any privacy recommendations set out in the applicable privacy impact assessment or as authorised by the supervisory authority.