The Global Data Protection Policy applies to the global organization of Sodexo entities (hereinafter designated as “Sodexo”) for all dimensions and activities, in all geographies where we operate.
This policy applies to the Processing of Personal data collected by Sodexo, directly or indirectly, from all individuals including, but not limited to Sodexo’s current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties, with “Personal data” being defined as any data that relates to an identified or identifiable individual or a person who may be identified by means reasonably likely to be used. In this Policy, “you” and “your” means any covered individual. “We”, “us”, “our” and “Sodexo” means the global organization of Sodexo entities.
COLLECTION AND PROCESSING USE OF YOUR PERSONAL DATA
COMPLIANCE WITH THE EUROPEAN DATA PROTECTION LAW AND ANY ADDITIONAL APPLICABLE DATA PROTECTION LOCAL LAW
We are committed to complying with any applicable legislation relating to Personal data and we shall ensure that Personal data is collected and processed in accordance with provisions of the European data protection law and other applicable local law, if any.
LAWFULNESS, FAIRNESS AND TRANSPARENCY
We do not collect or process Personal data without having a lawful reason to do so. We may have to collect and process your Personal data where necessary for the performance of a contract to which you are party, or when it is necessary for compliance with a legal obligation to which we are subject or where required, with your prior consent. We may also collect and process your Personal data for Sodexo’s legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms.
When collecting and processing your Personal data, we will provide you with a fair and full information notice or privacy statement about who is responsible for the processing of your Personal data, for what purposes your Personal data are processed, who the recipients are, what your rights are and how to exercise them, etc., unless it is impossible, or it requires disproportionate efforts to do so.
When required by applicable law, we will seek your prior consent (e.g. before collecting any Sensitive Personal data).
LEGITIMATE PURPOSE, LIMITATION AND DATA MINIMIZATION
Your Personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
When Sodexo acts for its own purposes, your Personal data is processed mainly for, but not limited to, the following purposes: recruitment management, human resources management, accounting and financial management, finance, treasury and tax management, risk management, management of employees’ safety, provision of IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering obligations or any other legal requirements, data analytics operations, legal corporate management and implementation of compliance processes.
When providing our services for the benefit of our clients or between us, we may also process Personal data on behalf of a Controller (either a client or any other Sodexo entity acting as such) essentially for the effective operation, management, performance, and delivery of our services across the globe. We will ensure that Personal data processed is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
DATA ACCURACY AND STORAGE LIMITATION
Sodexo will keep Personal data that is processed accurate and, where necessary, up to date. Also, we only keep Personal data for as long as necessary for the purposes for which it is processed (in accordance with our Global Data Retention Policy). Sodexo will act upon the instructions of its clients in order to assist them in complying with this obligation.
SECURITY OF YOUR PERSONAL DATA
We implement appropriate technical and organizational measures to protect Personal data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with our Group Information Security Policy.
We take, when appropriate, all reasonable measures based on Privacy by design and Privacy by default principles to implement the necessary safeguards and protect the Processing of Personal data. We also carry out, depending on the level of risk raised by the processing, a Privacy impact assessment (“PIA”) to adopt appropriate safeguards and ensure the protection of the Personal data. We also provide additional security safeguards for data considered to be Sensitive Personal data.
DISCLOSURE OF YOUR PERSONAL DATA
We can, in the usual course of our business and for the purposes of the processing, share your Personal data with the relevant personnel within the Sodexo Group, or with our duly authorized suppliers/vendors, contractors/subcontractors, to ensure consistency in our employment activities, maximize the quality and efficiency of our services and our business operations.
We may also be obliged to disclose Personal data to regulatory authorities, courts, and government agencies where required by law, regulation or legal process, or to defend the interests, rights or property of Sodexo or related third parties. Otherwise, we will not share your Personal data with other parties unless you request it or have given us prior approval to such sharing.
INTERNATIONAL PERSONAL DATA TRANSFERS
European data protection law does not allow the transfer of Personal data to countries outside UE/EEA that do not ensure an adequate level of data protection. Some of the countries in which Sodexo operates are not regarded by European Supervisory authorities as providing an adequate level of protection for individuals’ data privacy rights.
For transfers of your Personal data to such countries, either to entities within or outside the Sodexo Group, Sodexo has put in place another adequate safeguard to protect your Personal data. You will be provided with more information about any transfer of your Personal data outside of Europe at the time of the collection of your Personal data through appropriate privacy statements.