COMPANY PRIVACY NOTICE

Purpose
VINCI Construction Holding Limited and its subsidiaries of every tier (“The Organisation”) is committed to maintaining the accuracy, confidentiality and security of the personal information of individuals whose data we process as part of doing business.

This Privacy Notice describes what personal information The Organisation collects from or about its data subjects, how it is used, why it is used and to whom it may be disclosed.

Scope
This Privacy Notice applies to any data subjects of The Organisation, such as Employees, Contractors, Third Parties working on behalf of The Organisation, clients, and the general public who may come into contact with The Organisation.

Introduction
We gather and use certain information about individuals to conduct our business effectively.
We also collect information to better understand how individuals use our IT systems and to present timely, relevant information to you.
This Privacy Notice is updated from time to time. This Privacy Notice was last updated on: 18/04/2023
If you have any questions about this notice, please email privacy@vinciconstruction.co.uk or write to: Data Protection Officer, VINCI Construction Holding Limited, Astral House, Imperial Way, Watford, Herts, WD24 4WW.

How we obtain information about you
● We collect personal information about applicants, employees, workers and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider.
● We may sometimes collect additional information from third parties including former employers, referees, credit reference agencies or other background check agencies.
● In addition, we will collect additional personal information in the course of job-related activities throughout the period of you working for us.
● If you contact us directly via our websites, email or telephone to request information about our products and services.
● If you reply to our direct marketing campaigns (e.g. filling out a response card).
● If you procure a service directly from us.
● If you procure a service from us through one of Partners.
● When you work for or visit The Organisation at one of our locations equipped with security systems.
● If you operate a company vehicle or plant equipment equipped with telematics.
● If, with your permission where necessary, your contact details are passed to us by a Partner or other third-party.
● When you report a problem with our website.
● When you contact us or we contact you, we may keep a record of that correspondence (e.g. telephone calls and written communication).
● We may ask you to complete surveys that we use for research purposes.
● If, with your permission where necessary, other VINCI Group legal entities or business partners transfer your personal data to us.
● From third-party suppliers with whom we have a contract to supply services.
● If we acquired your personal data from other sources (such as private companies or institutions, public registers, social media sites) with your permission.
If you give us information on behalf of someone else you must ensure that you have their permission to do so and that they have been provided with this Privacy Notice before doing so.
If you are under 16 please do not provide us with any of your information unless you have the permission of your parent or guardian.
Please help us to keep your information up to date by informing us of any changes to your contact details or marketing preferences.
You may request a change to your personal information / preferences by clicking here.

What data we gather from you
For all individuals we may collect:
● Name and job title.
● Contact information including email address and phone number.
● Demographic information, such as postcode, preferences and interests.
● Website usage data such as pages accessed, time of access and IP address.
● Home address contact details for the purpose of sending postal communications.
● Information you provide us about your interests.
● Information relating to purchases and services, including complaints and claims.
● How you use our website and whether you open or forward our communications, including information collected through cookies and
other tracking technologies (see the “Cookies and how we use them” section for further details).
● Other information relevant to the use of other IT services offered by The Organisation.
● If you visit a company location we may collect CCTV imagery, ANPR imagery and/or Biometric access control data.

For individuals who work for, or on behalf of, The Organisation:
● we may collect, store and use various categories of personal information about you such as your personal details, emergency contact information, recruitment information, employment records, payment details, performance information, disciplinary and grievance information, information obtained through electronic means (such security swipe card records) and information about your use of our IT and communications systems.
● we may also collect, store and use “special categories” of more sensitive personal information such as information about your race or ethnicity, religious beliefs and sexual orientation, your health and about any criminal convictions and offences.

How we use this data
We will only use your personal information when the law allows us to.
Most commonly, we will use your personal information in the following circumstances
1. where we need to perform the contract we have entered into with you
2. where we need to comply with a legal obligation
3. where it is necessary for our legitimate interests (or those of a third-party), apart from where your interests, freedoms or fundamental rights override those interests

We may also use your personal information in the following situations, which are likely to be rare
1. where we need to protect your interests (or someone else’s interests)
2. where it is needed in the public interest

Collecting this data helps us operate our business effectively and offer improved client and employee experiences.

Below are some specific examples of how your data might be used.
For all individuals:
● For our own internal records.
● To carry out our obligations arising from any contracts entered by you, your company and us.
● To contact you in response to a specific enquiry.
● To seek your views or comments on the services we provide.
● To notify you of changes to our services.
● To customise and secure our IT services.
● To contact you with information about company updates, services, offers and other things we think might be relevant to you.
● To control access to, provide security services for, and record working time at company locations.

For individuals working for, or on behalf of, The Organisation:
● Making a decision about your recruitment, appointment and potential promotions
● Conducting performance reviews, managing performance and determining performance requirements
● Making decisions about pay reviews
● Gathering evidence for possible grievance or disciplinary hearings
● Dealing with legal proceedings involving you, or other employees, workers and contractors, including accidents at work
● Ascertaining your fitness to work
● Managing sickness absence
● Complying with health and safety obligations
● To prevent fraud
● To monitor your use of our IT and communication systems to ensure compliance with our IT policies
● For equal opportunities monitoring, but not as a mandatory requirement

We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations. We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with us.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider we need to use it for another reason and that reason is compatible with the original purpose.

Cookies and how we use them
A cookie is a small file placed on your computer’s hard drive. It enables our websites to identify your computer as you view different pages on our websites. Cookies allow websites and applications to store your preferences in order to present content, options or functions that are specific to you. They also enable us to see information like how many people use the website and what pages they tend to visit.

We may use cookies to:
● Analyse our web traffic using an analytics package. Aggregated usage data helps us improve the website structure, design, content and functions.
● Identify whether you are signed in to our websites. A cookie allows us to check whether you are signed in to the site.
● Test content on our websites. For example, 50% of our users might see one piece of content, the other 50% a different piece of content.
● Store information about your preferences. The website can then present you with information you will find more relevant and interesting.
● Recognise when you return to our websites. We may show your relevant content, or provide functionality you used previously.
● Cookies do not provide us with access to your computer or any information about you, other than that which you choose to share with us.

Controlling cookies:
You can use your web browser’s cookie settings to determine how our websites use cookies. If you do not want our websites to store cookies on your computer or device, you should set your web browser to refuse cookies. However, please note that doing this may affect how our websites function.
Some pages and services may become unavailable to you.
Unless you have changed your browser to refuse cookies, our websites will issue cookies when you visit them.
To learn more about cookies and how they are used, visit All About Cookies.

Controlling information about you
We will never lease, distribute or sell your personal information to third parties unless we have your permission or the law requires us to. Third-party Service Providers working on our behalf: We may pass your information to our third-party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf. However, when we use thirdparty service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own purposes.

Please be reassured that we will not release your information to third parties for them to use for their own purposes, unless you have requested us to do so or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.

Any personal information we hold about you is stored and processed under our data protection policy, in line with the General Data Protection Regulation.

Security
To prevent unauthorised disclosure or access to your information, we have implemented strong physical and electronic security safeguards.
When you give us personal information, we take steps to ensure that it’s treated securely. Any sensitive information transferred to us through The Organisation IT systems is encrypted and protected during transfer via at least 128 Bit encryption on SSL. When you are on a secure page, a lock icon will be shown in modern web browsers such as Microsoft Internet Explorer
and Google Chrome.
Where we have given you (or where you have chosen) a password which enables you to access company IT services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
We also follow stringent procedures to ensure we work with all personal data in line with the General Data Protection Regulation.

Your rights
Under certain circumstances, you have the right to review, verify, correct or request erasure of your personal information, object to the processing of it, or request that we transfer a copy of your personal information to another party.

However, if you fail to provide certain information when requested, or object to its processing, we may not be able to perform the contract we have entered into with you (such as paying you or providing a service / benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our staff).

For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) (the UK supervisory authority for data protection issues) on individual’s rights under the GDPR. If you would like to exercise any of those rights or have any queries in relation to your
personal information, please contact us by clicking here.

If you are unsatisfied with our response to any data protection issues you raise with us, you have the right to make a complaint to the ICO.