HOK Accelerates Carbon-Neutral Goal, Outpacing Industry Standards

This site uses cookiesMore Information.

Privacy Policy

Data Privacy Addendum

HOK's Third-Party Data Privacy Addendum

Version: 3.0 | (updated: February 21, 2024)

This version of the Third-Party Data Privacy Addendum applies to, and is incorporated into, all contracts (each a “Third-Party Contract”) between any HOK Group, Inc. company (including all subsidiaries and affiliates each referred to individually or collectively as “HOK”) and any third-party supplier of products or services including all vendors and subconsultants (each a “Third-Party Contractor”).

1.0     DEFINITIONS

The following defined terms shall have the following meanings:

Applicable Data Protection Laws” shall mean the data protection laws and regulations applicable to the Third-Party Contract including, without limitation, the CCPA, GDPR, UK GDPR as defined below and the UK Data Protection Act 2018.

CCPA” shall mean the California Consumer Privacy Act of 2018.

“EEA” shall mean the European Economic Area.

EU” shall mean the European Union.

GDPR” shall mean the EU General Data Protection Regulation 2016/679.

Personal Information” shall have the meanings set out in the Applicable Data Protection Laws or, in the absence of a statutory definition, Personal Information shall mean any information relating to a person or their household that enables that person to be identified either directly or indirectly.

UK” shall mean the United Kingdom of Great Britain (England, Wales, Scotland) and Northern Ireland.

“UK GDPR” shall mean the retained EU law version of GDPR which forms part of the law of the UK.

data subject”, “consumer”, “controller”, “processor”, “processing”, and “sell” shall have the meanings set out in the Applicable Data Protection Laws or, in the absence of a statutory definition, as they are commonly defined.

2.0     SCOPE 

This Third-Party Data Privacy Addendum applies only to the Personal Information of residents of the EEA, UK, Switzerland and the State of California. 


3.0     OBLIGATIONS

Each of HOK and Third-Party Contractor:

  1. Shall comply with the Applicable Data Protection Laws and this Third-Party Data Privacy Addendum and shall not perform its obligations under the Third-Party Contract in such a way as to cause the other to breach any of its obligations under Applicable Data Protection Laws and this Third-Party Data Privacy Addendum;
  2. Agree that, under the GDPR and UK GDPR, the factual arrangements between them may dictate the classification of Third-Party Contractor as a “data processor of the Personal Information of UK and EEA Data Subjects;
  3. Agree that, under the CCPA, the Third-Party Contractor shall act as a Service Provider in its provision of services to HOK for the business purposes set forth in the Third-Party Contract, including where the Third-Party Contractor collects Personal Information on the behalf of HOK;
  4. Acknowledge that as between HOK and the Third-Party Contractor, HOK retains all rights, title, and interest in the data (Personal Information or otherwise) including any amendments or alterations to such data made by Third-Party Contractor or on Third-Party Contractor’s behalf; and
  5. If any of these obligations are unclear, Third-Party Contractor shall notify HOK and seek clarification, in writing, by email to privacy@hok.com or by mail to HOK Group, Inc., 10 South Broadway, Suite 200, St. Louis, MO 63102; Attention: Corporate Compliance.

4.0     PROCESSOR/HANDLER OF PERSONAL INFORMATION

Where Third-Party Contractor processes or otherwise handles Personal Information on behalf of HOK, Third-Party Contractor shall:

  1. Process and handle the Personal Information only in accordance with the Third-Party Contract and the documented instructions of HOK and not make any use of the Personal Information for its own purposes, regardless of whether the Personal Information is converted to an anonymized and/or aggregated form;
  2. Implement appropriate technical and organizational measures to protect the Personal Information against unauthorized or unlawful processing, and handling and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorized or unlawful processing or handling, accidental loss, destruction or damage to the Personal Information and having regard to the nature of the Personal Information which is to be protected and shall include inter alia as appropriate:
    1. The pseudonymization and encryption of the Personal Information;
    2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing the Personal Information;
    3. The ability to restore the availability and access to the Personal Information in a timely manner in the event of a physical or technical incident; and
    4. A process for regular testing, assessing and evaluating the effectiveness of technical and organization measures for ensuring the security of any processing;
  3. Only permit the Personal Information to be processed or handled by persons who are bound by enforceable confidentiality obligations and take steps to ensure such persons only act on Third-Party Contractor’s instructions in relation to the processing or handling;
  4. Not transfer Personal Information outside of the UK or EEA without the prior written consent of HOK and, where HOK consents to such transfer, warrant that safeguards are in place to ensure that the Personal Information is protected to the level required by the GDPR or UK GDPR, as applicable;
  5. Obtain prior written consent from HOK to transfer the Personal Information to any agents, subcontractors, affiliates or any other third parties and, where HOK consents, Third-Party Contractor shall:
    1. Ensure that any such agents, subcontractors, affiliates or other third parties are subject to, and contractually bound by, at least the same obligations as Third-Party Contractor is to HOK under this Third-Party Data Privacy Addendum;
    2. Provide to HOK copies of any documentation to demonstrate compliance with the obligations in this Third-Party Data Privacy Addendum; and
    3. Remain fully liable to HOK for all acts and omissions of any agents, subcontractors, affiliates or third parties;
  6. Within 48 hours and in any event without undue delay alert and inform HOK in writing of a breach of Personal Information (including, but not limited to, any unauthorized or unlawful processing, handling, access to, loss of, damage to or destruction of Personal Information) suffered by Third-Party Contractor or by any agents, subcontractors, affiliates or third parties to which Personal Information has been transferred and provide all necessary cooperation and assistance to enable HOK to comply with its obligations under Applicable Data Protection Laws and to reduce the impact of the incident on its business operations and reputation. Third-Party Contractor shall not inform any third party of the Personal Information breach without first obtaining HOK’s prior written consent, except when law or regulation requires it;
  7. Keep detailed, accurate and up-to-date written records regarding any processing of the Personal Information, including but not limited to, the access, control and security of the Personal Information, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organizational security measures (“Records”);
  8. Permit HOK (subject to reasonable and appropriate confidentiality undertakings) to inspect and audit Third-Party Contractor’s data processing activities to enable HOK to verify and/or procure that Third-Party Contractor is complying with its obligations under this Third-Party Data Privacy Addendum;
  9. On HOK’s request, and at no additional cost to HOK, assist HOK to respond to requests from Data Subjects and Consumers who are exercising their rights under Applicable Data Protection Laws and forward to HOK all communications it receives from third-parties relating to the processing or handling of any Personal Information which suggests non-compliance by HOK or Third-Party Contractor with Applicable Data Protection Laws and not do anything or enter into any communication with such third-party unless expressly authorized in writing to do so by HOK or required by applicable law;
  10. On HOK’s request, assist HOK to comply with HOK’s obligations pursuant to Articles 32-36 of the GDPR (or such corresponding  provisions of the Applicable Data Protection Laws), comprising (if applicable): (a) notifying a supervisory authority that Third-Party Contractor has suffered a data breach; (b) communicating a data breach to an affected individual; (c) carrying out an impact assessment; and (d) where required under an impact assessment, engaging in prior consultation with a supervisory authority, but Third-Party Contractor shall not communicate with any supervisory authority or affected individual unless expressly authorized in writing to do so by HOK or required by applicable law;
  11. Unless applicable law requires otherwise, upon termination of the Third-Party Contract, at the option of HOK comply or procure compliance with the following: (i) delete all Personal Information related to the Third-Party Contract in Third-Party Contractor’s possession or control, permanently, safely and securely and provide HOK with a certificate of destruction within 7 days after such deletion or destruction; and/or (ii) return to HOK all such Personal Information and any other information provided by HOK to Third-Party Contractor; and (iii) cease to process the Personal Information;
  12. If any applicable law requires Third-Party Contractor to retain any documents, materials, or Personal Information that Third-Party Contractor would otherwise be required to delete, destroy, or return, notify HOK in writing of that retention requirement, giving details of the documents, materials or Personal Information that it must retain, the legal basis for retention, and establishing a specific timeline for deletion or return once the retention requirement ends.
  13. Not sell to any third-party the Personal Information of any person (including without limitation, Sell the Personal Information of any Consumer as these terms are defined under the CCPA);
  14. Notify HOK within 5 days if it receives a request from a Consumer/Data Subject for access to their Personal Information or to exercise any of their other rights under Applicable Data Protection Laws;
  15. Upon HOK’s written request, and subject to and in accordance with all applicable laws, Third-Party Contractor, as a Service Provider, agrees to promptly delete any and all Personal Information of a Consumer / Data Subject;
  16. Indemnify and keep indemnified HOK against all losses, costs, expenses, damages, liabilities, demands, claims, actions or proceedings which HOK may incur or suffer, including fines or penalties awarded against it by the relevant data protection regulator, because of any breach of any of the obligations set out in this Third-Party Data Privacy Addendum; and
  17. If Third-Party Contractor is unable to comply with any of the foregoing obligations, promptly notify HOK in writing by email to privacy@hok.com or by mail to HOK Group, Inc., 10 South Broadway, Suite 200, St. Louis, MO 63102; Attention: Corporate Compliance.

5.0     PROCESSING PARTICULARS

Third-Party Contractor acknowledges that the factual description of the subject-matter, duration of the processing or handling, the nature and purpose of the processing or handling, the type of Personal Information and the categories of Data Subjects and Consumers (the “Processing Particulars”) are as set out in Schedule 1.

6.0   CHANGES TO THIS ADDENDUM

As we strive to improve our practices, we may review HOK’s Third-Party Data Privacy Addendum from time to time. We reserve the right to change this policy at any time and to notify you of those changes by posting an updated version of this policy on our website. It is your responsibility to check our policy each time before you access our website for any changes.

7.0     QUESTIONS

For questions about this Third-Party Data Privacy Addendum, please contact us by email to privacy@hok.com or by mail to HOK Group, Inc., 10 South Broadway, Suite 200, St. Louis, MO 63102; Attention: Corporate Compliance Officer.

Processing Particulars

Subject matter of Processing: the provision of services by the Third-Party Contractor under the Third-Party Contract.

Duration of Processing: the term of the Third-Party Contract.

Nature of Processing: the Third-Party Contractor will process (including collecting, recording, organizing, storing, retrieving, using, sharing, combining, deleting, and destroying) Personal Information for the purpose of providing the services under the Third-Party Contract and otherwise as necessary to perform its obligations and exercise its rights under the Third-Party Contract and this Third-Party Data Privacy Addendum.

Business Purposes: Performance of a contract.

Personal Data Categories:

  • Full names;
  • Company addresses;
  • Job titles;
  • Telephone numbers; and
  • Email addresses.

Data Subject Types: Employees and officers of HOK Group Inc, its clients, potential clients and/or suppliers.

Identify Third-Party Contractor’s legal basis for processing Personal Data outside the UK or EEA in order to comply with cross-border transfer restrictions (where applicable): Standard Contractual Clauses

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×