Privacy Notice

What personal information does Arup collect and process and how? 

Arup is committed to transparency about your personal information and will only collect and process the personal information we need for a specified purpose. 

Cookies are small files that help us track how our visitors use the website and enable us to understand where we can improve your experience. If you would like to find out which cookies we use and the information they track see our Cookies notice.

Disclosure of your personal information

Who do we disclose it to? 

• Arup Group entities, third parties, agents or independent contractors that provide services to any member of Arup (such as IT systems providers, platform providers, financial advisors, brokers, consultants (including lawyers and accountants).
• Goods and services providers where we are permitted to disclose your personal information to them; (such as providers of marketing services, events managers Technology providers, SaaS, Website, Cloud providers, data hosting, data storage, background checking, Insurance, legal, banking services provider, supplier onboarding, tax and accounting, training, event management, e-business cards.
• Competent authorities (including any national and/or international regulatory or enforcement body, agency, court or other form of tribunal or tax authority) or their agents where Arup is required or allowed to do so under applicable law or regulation;
• A potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger of part or all of Arup’s business or assets, or any associated rights or interests, or to acquire a business or enter into a merger with it;

Transfer of your personal information

As a company operating globally, we strive to provide our customers with our services wherever they are located. To make that possible, your personal information may be transferred to or accessed by entities around the world, including Arup’s affiliates, to execute processing activities as describe in this Privacy notice. Arup makes sure to protect its customer’s personal information by complying with the necessary laws and regulations on the transfer of personal information between countries, wherever they are.

Arup may need to transfer personal information outside of (an “international data transfer”). For transfers outside of the UK or EEA, we may transfer personal information to countries with “adequate” data protection standards as recognised by the European Commission (in the EEA) or the Secretary of State (in the UK).  

When conducting an international data transfer to a country without “adequate” data protection standards, we will apply the necessary safeguards to protect personal information as required under law. Such safeguards may include “Standard Contractual Clauses” (SCCs) that require the person receiving the personal information to protect the personal information to a high standard, and any other necessary technical or organisational safeguards. 

The entity of Arup that controls your personal information may differ depending on where you live. For example, the personal information of individuals in the EU, Switzerland and the UK is generally a different entity that is responsible for the processing of personal information relating to individuals in the US. 

What rights do you have?  

At Arup the satisfaction of our customers is of centre importance. We respect your rights concerning the processing of personal information and provide you with the relevant and appropriate choices. Depending on your location and residency you may have a right to one or more of the following with respect to your personal information we process or control: right of access, right to rectify, right to delete, right to opt out and to object to processing. 

Note that you may have the right to designate another person to serve as your authorised agent, to exercise any of the rights described below. 

Under the EU and UK GDPR, or applicable law, individuals may exercise the following rights over their personal information. You may exercise these rights for free, but under certain conditions we may charge a fee to cover our administrative costs. 

We will aim to comply with your request within one month of receiving your request or within the timeframe defined by applicable law. Depending on the complexity and scope of your request, we may need to extend this one-month period. If so, we will notify you via the contact information you have provided, explaining the reason for the delay and the expected timeframe for fulfilling your request. 

To exercise any of your right, please contact our designated privacy contact here: privacy@arup.com  providing details of your request. 

For Poland - under the Polish Data Protection Law, individuals have the right to request information about personal data that Arup Polska sp.z.o.o has collected about themselves, and to opt out from commercial transactions of that data. Individuals may contact the Poland office on rodo.poland@arup.com or call +48 22 455 4554.

1. The right of access: You have the right to access a copy of your personal information and to request information about how we process your personal information. This includes information about the purposes of the processing, the categories of personal information we process, and the recipients or categories of recipient to whom the personal information have been or will be disclosed. 
2. The right to rectification: You have the right to request that we correct any inaccurate personal information we process about you, and to request that we complete any incomplete personal information we process about you.
3. The right to erasure.  You have the right to request that we erase your personal information under certain conditions, e.g., if the information is no longer needed for its intended purposes, if you have withdrawn your consent, if you have made a valid request under the “right to object”, if the information has been processed unlawfully, or to comply with a legal obligation.   
4. The right to restrict processing. You have the right to request that we restrict how we process your personal information if:
   • You claim that the personal information is inaccurate, and we need time to verify this; or  
   • The processing is unlawful, but you do not want the personal information erased; or  
   • The personal information is no longer needed for the purposes for which it was collected, but you still need it to establish, exercise or defend legal claims; or  
   • You have exercised the right to object, and we need time to determine whether to comply with your objection, under certain circumstances. 
5. The right to object. You have the right to object to the Arup’s processing of your personal information under certain conditions. You have the absolute right to object to us using your personal information for direct marketing. 
6. The right to data portability. Under certain conditions, you have the right to request a copy of the personal information you have provided to us in a structured, commonly used, and machine-readable format.
7. Right to lodge a complaint with a supervisory authority. You have the right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information. We encourage that you try and resolve the issue with us at first, although you have the right the contact the supervisory authority at any time. 

Please see relevant sections below for further information on the rights available to data subjects in specific jurisdictions where we operate, including the US and China.

How we protect your information

We make it a priority to safeguard the confidentiality and security of any data you share with us. In order to prevent unauthorised access or disclosure we have put in place suitable organisational, people, physical and technological controls to safeguard and secure the information we collect, including locked cabinets, electronic password protection and pass card access to buildings. No data collection, transmission, or storage method is 100% secure,

We have amended the wording to “appropriate security safeguards”, to match the wording used in the GDPR to describe the minimum standard of security.

Third-party websites

Our websites and apps may contain links to third-party websites and apps. When you click on a link to any other website or location, you will leave our service and go to another site, and another entity may collect personal information from you. We are not responsible for these third-party websites or their content. Please be aware that the terms of this Privacy Notice do not apply to these third-party websites or apps, or to any collection of your personal information after you click on links to such third-party websites.

Cookies and other technologies 

We use cookies and similar tools to enhance our ability to deliver our services, to understand how customers use our services so we can improve our customer experience, and to display ad. For more information about cookies and how we use them, please read our. 

Manage your cookie preferences

Artificial Intelligence (AI)

We are committed to using AI responsibly. Any AI tools or systems we deploy are designed and operated with a focus on safety, compliance, transparency, accountability, fairness, and sustainability, as outlined in our AI policy.

Data retention

We will store your personal information for no longer than is necessary to fulfil the purposes described in this privacy notice. We may also be legally required to store personal information for a specific period as may be required for tax and accounting purposes, or as otherwise communicated to you.  When considering retention periods, we first carefully assess whether it is necessary to retain the personal data collected and, if retention is required, we endeavour to retain the personal data for the shortest term permitted by law. 

Contact information 

Our data protection officer can be contacted at privacy@arup.com or at: Data Privacy Manager, Arup, 8 Fitzroy Street, London, UK, W1T 4BJ and will work to address any questions or issues that you have with respect to the collection and processing of your personal information.  

We want to hear from you if you have any comments, questions or concerns don’t hesitate to contact us communications@arup.com. 

U.S. State Consumer Rights

Please note that we will not sell your personal information. However, we may disclose your personal information for business purposes with service providers.

Personal information disclosed for a business purpose

To provide our services, we may need to disclose your personal information to service providers for business purposes. The table below provides further details about how we have shared personal information for business purposes:

Privacy rights for individuals in California, Delaware, New York, Texas, Massachusetts and Pennsylvania

As part of our commitment to protecting your privacy and ensuring transparency, we acknowledge that as consumers in the US you might be entitled to privacy rights under applicable laws. To exercise any of your rights as detailed below, you can submit a written request to our designated privacy contact privacy@arup.com or call  +1 212 896 3000. We will aim to comply with your request within 45 days of receiving your request. Depending on the complexity and scope of your request, we may need to extend this 45-day period

1. Access to Personal Information. You have the right to confirm whether Arup processes personal information about you and request access to the personal information Arup holds about you. For California consumers you have the right to request to know how Arup has collected, used, and/or sold or shared your personal information over the preceding 12 months.
2. Request to correct. You have the right to correct inaccuracies in your personal information taking into account the nature of the personal information and the purposes of the processing of the personal information. 
3. Request to delete. You have the right to request that we delete the personal information we control about you. 
4. Rights over Sensitive Personal Information.
5. Right to opt-out. You have the right to opt out to targeted advertising, the sale of your personal information, and the profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
6. Portability. If you wish to exercise your right to data portability, you may request a copy of your personal data that we hold in a commonly used and machine-readable format. This enables you to securely transmit the data to another organisation of your choice, or, if technically feasible, we may transmit it directly upon your request. 
7. Non-discrimination. We will not discriminate against you for exercising your privacy rights, as outlined in this privacy notice and as provided by applicable laws. This includes, but not limited to denying you goods, services, or benefits; charging different prices or rates for goods or services or imposing unreasonable conditions, based on your exercise of privacy rights. If you believe that you have been subjected to discrimination or retaliation in violation of your privacy rights, we encourage you to promptly report your concerns to our designated privacy contact privacy@arup.com.
8. Right to appeal: If you are unhappy with how Arup has responded to your request to exercise any of the rights above, you may have the right to appeal the decision within a reasonable time. Within 45 days of the date, we receive your appeal, we will inform you of any action we may have taken in response to your appeal, along with a written explanation of the reasons for our response. If you remain unhappy with our response, you may have the right to appeal to your state’s Attorney General.  

Additional information for the People’s Republic of China (PRC)

If there is any inconsistency between the below and the above Privacy Notice, the following shall prevail in respect of the PRC.

Data controller

For the PRC, Arup International Consultants (Shanghai) Co. Limited., Registered office: 30/F THREE itc Tower A, 183 Hongqiao Road, Xuhui District, Shanghai 200030, China, is the data controller. For questions or concerns related to your personal information or related to the Privacy Notice, please contact privacy@arup.com.

Consent

We may obtain your consent (where applicable, separate consent) in accordance with the law to collect, use, share, transfer (including but not limited to overseas transfer), disclose or otherwise process your personal information if and to the extent required by the applicable laws.

How we transfer information across the border

In the provision of our services, supported by Arup Entities around the world, we may transfer your Personal Information outside of mainland China internally to other Arup Entities. We ensure that any Arup Entities accessing your Personal Information follow the same rules when processing it, to protect your data in accordance with applicable laws.

Many of our third-party service providers are located outside of mainland China, which means they may transfer your Personal Information outside of mainland China when processing it. These providers are carefully selected and contractually obligated to comply with applicable data protection laws, including the Personal Information Protection Law (PIPL).

We may disclose your Personal Information in the following ways:

• By permitting remote access to Personal Information stored on servers located within mainland China.
• By direct dissemination (e.g., when you submit information into Arup systems via email, shared links, or telephone).
• By sharing information electronically (e.g., email, video conferencing) or by post.

We may also share your Personal Information with third parties, such as government or judicial authorities, where required by law or with your prior specific consent.

When transferring your Personal Information outside of mainland China, we adopt safeguards as required by applicable laws and regulations. These may include conducting security assessments, obtaining government approvals where necessary, and/or implementing technical and organisational measures (e.g., encryption, access controls, and anonymisation) to ensure data security during transmission.

Your choices and rights

If you are an individual whose Personal Information, and the processing of that Personal Information by the relevant Arup Entity is subject to the application of PIPL, you have certain rights. These rights are identified below together with a brief, non-exhaustive explanation. Where your Personal Information and the processing of your Personal Information are not subject to PIPL these rights do not necessarily apply and nothing in this Notice may be interpreted to establish rights or obligations that go beyond what is mandated by PIPL.

If you have any questions in relation to this Notice, or wish to exercise any of your rights, please contact us using the contact details included below. To protect your rights and your privacy and to validate communications received in relation to this Notice, we may request confirmation and proof of your identity.

• The right to information - You have the right to be informed and to ask us to explain our rules of processing.
• The right to determine - You have the right to decide on the processing of your Personal Information.
• The right to restrict processing - You have the right to restrict or deny another person from the processing of your Personal Information, unless otherwise provided by law or administrative regulations.
• The right of access - Subject to certain exceptions, you have the right to access or make copies of your Personal Information from us.
• The right to transfer your personal information - You have the right to request us to transfer your Personal Information to another Data Controller of your choice, where permitted by the applicable laws.
• The right to rectification - If the Personal Information that we process is incomplete or incorrect, you have the right to request their completion or correction at any time.
• The right to deletion - Subject to certain exceptions if you consider that we should stop processing some or all of your Personal Information, you have the right to request its deletion. However, there may be reasons why an immediate deletion may not be possible (for example where retention is required to meet legal or regulatory obligations) or deletion may be technically difficult (in which case we will stop processing the Personal Information, except for the storage and any necessary measure taken for security protection).
• The right to withdraw consent - We may ask for your consent to process your Personal Information in specific cases. When we do this, you have the right to withdraw your consent at any time. We will stop the further processing as soon as possible after the withdrawal of your consent. However, this does not affect the lawfulness of the processing before consent was withdrawn.

Exercising your rights

You may exercise any of your rights by emailing us at privacy@arup.com.

We aim to respond to all legitimate requests in a timely manner and, in any event, within 30 days or the time limit stipulated by applicable laws or regulations. If your request is particularly complex or if you have made multiple requests, it may take us longer than one month to respond. In such cases, we will notify you and keep you updated on our progress.