1. What is this Notice about?
This Data Privacy Notice explains how we collect and use personal information in a number of different situations. The Notice consists of this Overview section, which applies to everyone, and various other sections describing the processing that we may undertake depending on the relationship(s) we have with you. Words which are underlined have specific definitions. You can find the definitions in the Glossary.
The information in this Notice is important, so we have tried to make it very easy to navigate. Use the links to locate the sections that are relevant to you. These will help you find out more about how we collect, use and share personal information in our relationship or interaction with you.
2. Who is the data controller of my personal information?
The contact details of each of the Company's data controllers and, where applicable their representatives and relevant data protection contact, are available here.
If you have a contractual relationship with us, the BAE Systems group company identified in that contract (whether issued by us or a third party) will typically be the data controller of your personal information. In addition, processing of personal information may be carried out by another group company for its own purposes, in which case that other group company will be the data controller of your personal information.
3. How do you use my personal information?
The sections of this Notice will help you understand how we manage and use your personal information in our relationship or interactions with you.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If the way that personal information will be processed differs from the details provided in this Notice or is incompatible with the original purpose the data was collected for, additional information regarding this processing will be provided to you.
We may amend the content of the Notice from time to time to keep it up to date with current legal requirements and the way we operate our business.
4. What is the basis on which you justify processing my personal information?
To carry out any processing of your personal information, we need to ensure that we have a particular reason to do so. We have set out the reasons we have for processing your personal information in the various sections of this Notice.
The reasons that we have for processing your personal information directly relate to the legal grounds for processing set out in Data Protection Law. We have also identified these legal grounds within this Notice.
Please contact us if you have any questions or would like more detail regarding our reasons for processing your personal information.
5. What are the general legal grounds for processing personal information?
The general legal grounds for processing all types of your personal information and what they mean are described further below:
| Legal ground | Description |
|---|---|
| The processing is needed to enter into or perform a contract with you. | We can process your personal information where the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract. This means that we can carry out the actions needed to conclude or execute our contract with you. |
| The processing is needed so that we can comply with our legal obligations. | We can process your personal information where this processing is necessary for compliance with a legal or regulatory obligation to which we are subject. Therefore, we can carry out any actions we need to take to comply with applicable laws. |
| The processing is needed for our legitimate interests. |
We can process your personal information where the processing is necessary for our legitimate interests, provided that those interests are not overridden by your interests or rights. Where we are relying on this ground as the basis for our processing, we will tell you what our legitimate interests are and you will see these in this Notice. |
| You have given your consent to the processing. | We can process your personal information where you have given consent for us to process such personal information for a specific purpose. |
| The processing is needed for vital interests. | We can process your personal information where the processing is necessary to protect your life or someone else’s life. |
| The processing is needed for a public task. | We can process your personal information where the processing is necessary for us to perform a task in the public interest or an official functions, and the task or function has a clear basis in law. |
6. What are the additional legal grounds on which you justify processing my special categories of personal information?
To process your special categories of personal information, we need to rely on a particular condition to do so, in addition to the general legal grounds set out above. The conditions for processing special categories of personal information are set out in Data Protection Law.
We have set out the reasons we have for processing your special categories of personal information in this Notice, along with the relevant general and additional legal ground for processing. These additional legal grounds for processing special categories of personal information and what they mean are described further below:
| Legal ground | Description |
|---|---|
| The processing is needed for carrying out our employment law obligations. | We can process special categories of personal information where the processing is necessary for us to carry out any actions we need to undertake in order to comply with our obligations under employment, tax and health and safety law. |
| The processing is needed for occupational medicine. | Our external and internal occupational health advisers can process special categories of personal information where the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, or to provide a medical diagnosis. |
| The processing relates to personal data that has been manifestly made public by the data subject. | We may process special categories of personal information where you have taken active steps to make the information public, such as by publishing the information in publicly available social media posts. |
| The processing is necessary for reasons of substantial public interest. | We can process special categories of personal information where the processing is necessary for reasons of substantial public interest, as set out in the applicable local law. These are explained in this Notice, where relevant. |
| The processing is needed to protect your life or the life of another. | We can process special categories of personal information where the processing is necessary to protect your vital interests or those of another person where you are physically or legally incapable of giving consent. This means that we can process your special categories of personal information in exceptional emergency situations, such as a medical emergency, for example. |
| The processing is needed for legal claims. | We can process your special categories of personal information if the processing is necessary for the establishment, exercise or defence of legal claims. |
7. What if I don’t provide you with my personal information?
In some cases, if you do withhold specific information we may not be able to continue our relationship with you, if we believe we require the relevant information to support the effective and efficient administration and management of that relationship.
For example, for employees, we require your identity information, contact and payroll information in order to pay you. If this is not provided, we may be unable to manage our contractual relationship.
8. How do you keep my information secure?
The Company is committed to protecting the security of the personal information we process. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk.
9. Where do you get my personal information from?
In most cases, we receive the personal information directly from you. You either provide this to us at the outset of our relationship or do so at another time during your interactions with us. This will include personal information that you input into a form or through any self-service function, as well as information that you give to the HR team, your Company contact and to any member of our workforce.
We may create personal information about you during your relationship with us– see internal sources below.
In some cases, we get personal information about you from third party sources – see external sources below.
| Internal sources |
In addition to the personal information that you provide to us, we may generate some further personal information internally. This will usually be generated by HR, line management or your Company contact, as appropriate. In some circumstances, data may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings, IT network use logs and reports, and email and Internet access logs and reports), if and to the extent permitted by applicable laws. In these circumstances, the data may be collected by us or a third party provider of the relevant service on our behalf. |
|---|---|
| External sources |
We may also obtain some personal information from third parties. If you are a representative of a supplier or a customer, we may receive your personal information directly from that company or from your colleagues. We may also use third parties to carry out anti-money laundering, anti-bribery and corruption and Know Your Client checks. If you are an employee, we may obtain references from a previous employer, medical reports from external professionals, information from tax authorities, benefit providers or from a third party that we engage to carry out security vetting or a background check (where permitted by applicable law). In some instances, we may obtain some personal information from public information sources such as Companies House in the UK. |
10. When do you share my information with others?
Within the Company, your personal information can be accessed by or may be disclosed internally on a need-to-know basis – see internal recipients below.
Your personal information may also be accessed by third parties, including suppliers, advisers, national authorities and government bodies – see external recipients below. We have sought to identify these parties in this Notice.
In addition, there are circumstances where we may need to disclose your personal information to third parties, to help manage and secure our business, and to deliver our services. We may disclose your personal information to third parties if:
- We sell or buy any business, in which case we may disclose your personal information to the prospective seller or buyer of such business;
- BAE Systems plc or substantially all of its assets are acquired by a third party, in which case personal information held by it about you will be transferred to that third party;
- We are under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation, to comply with national security requirements set by the government of the United Kingdom or of another jurisdiction in which we operate, or in order to enforce or apply our legal rights, in which case we may share your personal information with our regulators and law enforcement agencies in the UK, Europe and around the world, or to our legal advisers;
- It is necessary to protect the rights, property, or safety of BAE Systems plc or any member of the BAE Systems group of companies, our customers, suppliers or others, in which case we may disclose your personal information to our legal advisers and other professional services firms; and
- They provide services to us connected with your relationship with us.
Where these third parties (or any others) act as a data processor (for example, a payroll provider), they carry out their tasks on our behalf and upon our instructions for the reasons that we have set out in this Notice. In this case your personal information will only be disclosed to these parties to the extent necessary to provide the required services.
| Internal recipients |
Internal recipients of your personal information may include:
Personal information may also be shared inside of the Company between certain interconnecting IT systems.In addition, where relevant, certain basic personal information (which may include your name, location, job title, contact information and any published skills and experience) may also be accessible to the Company's employees for the purposes set out in this Notice.
|
|---|---|
| External recipients |
External recipients of your personal information may include:
Personal information contained in our IT systems may be accessible by providers of those systems, their associated companies and sub-contractors (such as those involved with hosting, supporting and maintaining the framework of our HR information systems). We expect these third parties to process any data disclosed to them in accordance with the contractual relationship we have with them and applicable law, including with respect to data confidentiality and security. In addition, we may share personal information with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.
|
11. Is any of my personal information transferred overseas?
We share your personal information within the BAE Systems group of companies as set out in this Notice (see “When do you share my information with others?” above).
Any transfers of personal information within the BAE Systems group will be covered by an intra-group agreement which gives specific contractual protections to ensure that your personal information receives an adequate and consistent level of protection wherever it is transferred within the group.
In addition, some of the external organisations (see “When do you share my personal information with others?” above) we share your personal information with may be located outside of the country in which you are based. We will always take steps to ensure that any transfer of personal information between jurisdictions is carefully managed to protect your privacy rights, such as by relying on approved standard contractual clauses for the transfer of personal information to third countries, other legally acceptable safeguards that ensure an adequate level of protection, or derogations available under Data Protection Law.
Any requests for information we receive from law enforcement or regulators will be carefully checked before personal information is disclosed.
If you have any questions regarding overseas transfers, or to see a copy of the safeguards we rely on for any transfer (where applicable), please contact us.
12. How long do you retain my personal information?
We will retain your personal information for as long as is reasonably necessary for the purposes explained in this Notice.
In some circumstances we may retain your personal information for longer periods of time than is needed for those purposes described in this Notice. For instance: where we are required to do so in accordance with legal, regulatory, tax or accounting requirements; to ensure that we have an accurate record of your dealings with us in the event of any complaints or challenges; or if we reasonably believe there is a prospect of litigation relating to your relationship with us.
We maintain policies governing the creation, retention and disposal of records in our care. These policies set out our requirements for the management of records, including guidance on keeping personal information as current as possible, securely deleting records and irrelevant or excessive data, and storing information in a manner which no longer identifies you.
13. How do you manage the personal information about other individuals, other than myself?
Apart from personal information relating to you, you may also provide us with personal information of third parties, for instance, your family or dependants, or your colleagues. Where this may be the case, we have set this out in this Notice.
Before you provide information about others to us, you must first inform these individuals that you intend to provide their details to us and of the processing to be carried out by us, as detailed in this Notice.
14. What are my rights?
The following section sets out your rights in relation to your personal information. Please note that some of these rights are only available in specific circumstances.
Right to access your personal information
You have the right to request access to any of your personal information that the Company may hold, and to request correction of any inaccurate data relating to you.
You should note that we do not always need to comply with your requests, and some exemptions to the right of access will often apply, but we will ensure that this is explained to you if this is the case.
Data portability
Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the reason or legal ground for processing, and that personal information is processed by automatic means, you have the right to receive all such personal information which you have provided to the Company in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
Right to rectify (correct) personal information
You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it. You also have a responsibility to ensure that changes to your personal information are notified to the Company as soon as possible so that we can ensure that your data is up-to-date.
Right to erase personal information
You can also request that we erase your personal information in limited circumstances where:
- it is no longer needed for the purposes for which it was collected; or
- you have withdrawn your consent (where the data processing was based on consent); or
- you have made a successful objection (see right to object below); or
- it has been processed unlawfully; or
- it is necessary to comply with a legal obligation to which we are subject.
We are not required to comply with your request to erase personal information if the processing of your personal information is necessary:
- for compliance with a legal obligation;
- for the establishment, exercise or defence of legal claims; or
- we are able to rely on another exemption set out in Data Protection Laws.
Right to restriction of processing
You have the right to restrict our processing of your personal information but only where:
- you contest the accuracy of the personal information, pending us taking sufficient steps to correct or verify its accuracy;
- the processing is unlawful but you do not want us to erase the data;
- we no longer need the personal information for its original purpose, but we require it for the establishment, exercise or defence of legal claims; or
- you have objected to processing justified on legitimate interest grounds (see below), pending verification as to whether the Company has compelling legitimate grounds to continue processing.
Where personal information is subjected to restriction in this way, we will only process it with your consent; for the establishment, exercise or defence of legal claims; or to protect the rights of another natural or legal person.
Right to withdraw consent
Where you have provided us with your consent to process data, you have the right to withdraw such consent at any time. You can do this by (i) in some cases deleting the relevant data from the relevant IT system (although note that in this case it may remain in back-ups and linked systems until it is deleted in accordance with our policy) or (ii) contacting us.
Right to object to processing justified on legitimate interest grounds
Where the reason for processing your personal information is our legitimate interests, you have the right to object to that processing. If you object, we must stop that processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, where we need to process the data for the establishment, exercise or defence of legal claims, or where we are able to rely on another exemption set out in Data Protection Law.
Processing based solely on automated decision making
Where decisions made solely by automated means are permitted under applicable laws, you can obtain human intervention, express your point of view, and contest the automated decision.
Right to object to the use of your personal information for direct marketing purposes
The nature of our business means we do not routinely conduct any direct marketing aimed at specific individuals. In the event that you receive direct marketing from us, you can request that we change the manner in which we contact you for marketing purposes. You can request that we not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.
Right to complain to a supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in your country of residence, if you consider that our processing of your personal information infringes applicable law.
15. How do I exercise my rights?
If you wish to exercise your rights, you should contact us or make contact with your usual BAE Systems contact or manager.
Where we cannot verify your identity to a reasonable satisfaction using information already in our control, we may ask you for information to help prove your identity when making a request to exercise any of these rights. We do this to ensure we only disclose information or change account details where we know we are dealing with the right individual.
We aim to respond to all valid requests within one month. It may however take us longer if the request is particularly complicated or you have made several requests. We will always let you know if we think a response will take longer than one month. To speed up our response, we may ask you to provide more detail about what you want to receive or are concerned about.
We may not always be able to fully address your request, for example, if it would impact the privacy rights of others, or if we are otherwise legally entitled to deal with the request in a different way.
16. What if I want more information?
If you are not satisfied with the level of information provided in this Notice, you can contact us using the details provided in the Contact Us section of this Notice.
17. How do you manage changes to this Notice?
We amend this Notice from time to time, for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business.
This Notice was last updated on 6 January 2026.