Privacy policy

Purpose of this policy

 

The following information is provided to you to inform you of Sodexo Luxembourg S.A. (hereinafter “SODEXO”)’s commitments when processing Personal data. 

SODEXO builds strong, lasting relationships with its customers, partners, and consumers based on mutual trust, making sure that their Personal data is safe and remains confidential, which is an absolute priority for SODEXO. 

SODEXO is committed to complying with all Luxembourg and European applicable regulatory and legal provisions governing the protection of Personal data.

SODEXO enforces a very strict privacy policy to guarantee the protection of the Personal data of those who use its websites, portals, applications, and platforms.

SODEXO enforces a very strict privacy policy to guarantee the protection of the Personal data of the Users and the people with whom we are in contact:

▬ Users remain in control of their own data. The data is processed in a transparent, confidential, and secure manner.
▬ SODEXO is committed to a continuing engagement to protect its users’ Personal data in accordance with current or future Luxembourg legislation or regulations, and with the General Data Protection Regulation (EU) of April 27, 2016 (hereinafter "GDPR"). 
▬ SODEXO has a data protection officer that you can contact in case you have a question at the following email address: dataprivacy.oss.lu@sodexo.com. 

SODEXO takes the protection of your Personal Data very seriously.
We have developed this policy to inform you of the conditions under which we collect, process, use and protect your Personal Data on our Website and in the context of the services provided by Sodexo (the “Services”). This policy covers all users, including those who use the Website and the Services without being registered or subscribing to a specific service or account. 

Please read this policy carefully to familiarize yourself with the categories of Personal data that are subject to collection and Processing, how we use this Personal data, and with whom we are likely to share it. This policy also describes your rights and how you can get in touch with us to exercise these rights or to ask us any questions you might have concerning the protection of your Personal data.

This policy may be amended, supplemented, or updated, in particular to comply with any legal, regulatory, case law, or technical developments that may arise. However, your Personal data will always be processed in accordance with the policy in force at the time of the data collection, unless a compulsory legal requirement otherwise applies and is enforced retroactively.

This policy forms an integral part of the Website’s terms of use.

Identity and contact details of the Controller

The Controller is: 

Sodexo Luxembourg S.A.
Société Anonyme 
L8070 BERTRANGE, 39, rue du Puits Romain-ZA Bourmicht,
Entity’s Registration Number : B 17620
Tel.: +352 26 109 200
Legal Representative: Julien DEMOULIN
Email address of your DPO Dataprivacy.oss.lu@sodexo.com

 

Definitions

• “Controller” SODEXO which determines the purposes and means of the Processing of your Personal data on the Website. 
• “Personal data” Any information relating to an identified natural person or one that can be directly or indirectly identified by reference to an identification number or to one or more elements specific to that person. 
• “Processing” Any operation or set of operations that is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Processor” Natural or legal person, public authority, agency or other body which processes Personal data on behalf of the Controller.
• “us” “we” or “our” SODEXO acting as Controller.
• “Website” The website of lu.sodexo.com available at the address https://lu.sodexo.com.
• “you” or “Users” Any user/visitor or beneficiary of the services of SODEXO.

 

How will your Personal data be collected? Is it mandatory that you or others provide your Personal data?

We may collect your Personal data in the following ways below:
▬ Collection of your Personal data directly from you, such as when you complete forms on our Websites or when we provide services directly to you; and
▬ Collection of your Personal data indirectly during your navigation of the Website or via our service providers and/or technologies. 
We will collect your Personal data on a mandatory basis where this is required by applicable local laws or where this is necessary for the performance of the services. 

If we are unable to collect these mandatory Personal data items, we will not be able to manage your access to the Website or to provide you our services.

For which purposes and on which legal basis will your Personal data be collected and processed? What Personal data does SODEXO hold?

 

Data Processing activities	Purposes	Categories of Personal data	Legal basis
Cookies	Personalization of the Website and enhancement of the experience. A more detailed description of how and why cookies might be used on the Websites is at your disposal in our Cookie policy.	▬ IP address, ▬ Cookies, ▬ Statistical data.	Consent, Legitimate Interest in implementing the necessary technical measures for the operation of our Websites and services.
Website navigation	Compliance to Legal Obligations.	▬ Identification Data (name, surname, image - if you provided it), ▬ Technical data (time and date of connection, meta data).	Legal obligation.
Security of Property and persons/videosurveillance	Management of videosurveillance.	▬ CCTV footage.	Legitimate Interest in ensuring the safety of goods and people on our premises.
Communication with Users	Collect and process requests from Users.	▬ Email address, ▬ Any Personal data provided by the Users in their request.	Consent, Legitimate interest in communicating with our users and clients or prospects.
Recruitment	Assessing your skills, qualifications, and suitability for the role during the recruitment process. Carry out the necessary background and/or reference checks.	▬ Email address, ▬ Phone Number, ▬ Name, ▬ Curriculum Vitae, ▬ Diplomas, ▬ Information given with your application,  ▬ Nationality, ▬ Driving licence,Potential data that may be necessary for background checks.	Consent, Legal Obligation, Legitimate Interest in order to take steps at the request of the data subject prior to entering into a contract.
Marketing Management	Management of newsletter and other requests, surveys and statistics, etc.	▬ Email address, ▬ Last name, first name,  ▬ Phone number.	Legitimate interest.
Other	Any other purpose that we may specify to you at the time of collection and described in a specific privacy policy.	▬ Determined at the time of collection and described in a specific privacy policy.	Determined at the time of collection and described in a specific privacy policy.

 

 

To whom will your Personal data be disclosed?

SODEXO is part of an international group (“Sodexo Group”) under the brand Sodexo. 
There is a possibility that your Personal data will be transferred within or outside of the Sodexo Group. 

▬ Within Sodexo

The security and confidentiality of your Personal data is of great importance to us. This is why we restrict access to your Personal data only to members of our staff, to the extent it is strictly necessary to process your Personal data or to provide the services necessary for the Website. We ensure that the persons authorized to process the Personal data have committed themselves to abide by confidentiality agreements or are under an appropriate statutory obligation of confidentiality.

We have also implemented appropriate safeguards to ensure an adequate level of protection of your Personal data, even if the Personal data is processed by another Sodexo entity that did not collect your Personal data originally.

Sodexo has implemented the Sodexo’s Binding Corporate Rules (BCRs) within Sodexo Group. Therefore, even if the third countries in which Sodexo entities operate are located outside of the European Economic Area, your Personal data is protected in the same way that they would have been by any entity located within the European Economic Area. 

▬ Outside Sodexo

We will not disclose your Personal data to any unauthorized third party. We may, however, share your Personal data with authorized service providers (for example, technical service providers (hosting, maintenance), consultants, etc.) whom we may call upon for the purposes listed above in compliance with the applicable data protection laws.

All third-party service providers to whom we have disclosed and transferred your Personal data have been engaged under a binding confidentiality and data processing agreement with SODEXO or the Sodexo Group’s entities, whereby said third party may act only upon the instruction of SODEXO or Sodexo Group’s entities. 

This third-party service provider and/or other contractors, as the case may be, may be located in countries where data protection laws may not provide a level of protection equivalent to your country. If SODEXO or Sodexo group’s entities disclose your Personal data to such recipients, we will establish and/or confirm that, prior to receiving any of your Personal data, they will provide an adequate level of protection for your Personal data, including appropriate technical and organizational security measures. In particular, if the recipients concerned are located in a country that does not provide an adequate level of protection, SODEXO or Sodexo group’s entities will also implement other appropriate measures, such as standard contractual clauses, to secure such transfer in compliance with applicable law. If you want to access a copy of the relevant documentation, please send an email to Dataprivacy.oss.lu@sodexo.com.
 Furthermore, we may share your Personal data (i) if the law or a legal procedure requires us to do so, (ii) in response to a request by public authorities or other officials, or (iii) if we are of the opinion that transferring this data is necessary or appropriate to prevent any physical harm or financial loss, or in respect of an investigation concerning a suspected or proven unlawful activity.

How long will your Personal data be held?  

We will store your Personal data only for as long as necessary to fulfill the purposes for which it was collected and processed, as described below. This period may be extended, if applicable, for any amount of time prescribed by any legal or regulatory provisions that may apply.

Finally, please note that we may anonymize your Personal data in such a way that you can no longer be identified and continue to use it for statistical purposes. Data used for statistical purposes is no longer classified as Personal data once it has been duly anonymized.

 

Purposes	Categories of Personal data	Data Retention Duration
Personalization of the Website and enhancement of the experience	- IP address, - Cookies, - Statistical data.	▬ Cookies will be held for 13 months in order to fulfill their purposes.  ▬ Session Cookies are automatically deleted from your terminal at the end of your session. ▬ IP address and Statistical data will be kept for as long as necessary for the Processing.
Compliance to Legal Obligations	- Identification Data (name, surname, image - if you provided it), - - Technical data (time and date of connection, meta data).	▬ We will keep your Personal data for the duration of our commercial relationship with you, after which only the data necessary for pre-litigation or litigation purposes will be archived until the prescribed legal period has expired. ▬ The usual limitation period in civil and commercial matters is five (5) years from the end of the contract.
Management of videosurveillance	CCTV footage.	- 8 days.
Collect and process requests from Users	- Email address, - Any Personal data provided by the Users in their request.	- As long as is necessary for the processing of your request.
Assessing your skills, qualifications, and suitability for the role during the recruitment process	- Email address, - Phone Number, - Name, - Curriculum Vitae, - Diplomas, - Information provided with your application.	▬ For the duration of the recruitment process. ▬ With your consent, and in the event of your application being rejected, we will keep your Personal data for a period of six (6) months after we have received your job application so that we can contact you again for any position that may interest you.
Carry out the necessary background and/or reference checks	- Name, - Curriculum Vitae, - Email address, - Diplomas, - Phone Number, - Nationality, - Driving licence,  - Potential data that may be necessary for background checks.	▬ We will keep your data for the necessary to carry out the reference and/or background checks.
Any other purpose that we may specify to you at the time of collection and described in a specific privacy policy	- Determined at the time of collection and described in a specific privacy policy.	- This is specified when your data is collected and in a specific privacy policy.

 

 

Sensitive Personal data

As a general rule, we do not collect sensitive Personal data via our Website or to provide our services. 

“Sensitive Personal data” refers to any information concerning a person’s racial or ethnic origins, political opinions, religious or philosophical beliefs, union membership, health data, or data relating to the sexual life or the sexual orientation of a natural person. This definition also includes Personal data relating to criminal convictions and offenses.

In the event that it would be strictly necessary to collect such data to achieve the purpose for which the Processing is performed, we will do so in accordance with local legal requirements for the protection of Personal data and, in particular, with your prior explicit consent.  

 

Personal Information and Children

Our Websites and services are provided for adults who have the capacity to conclude a contract under the applicable legislation of the country in which they are located. For the provision of the services, we might process Personal data of children, but it is always done with the consent of their legal guardian.

 

Your Privacy Rights

It is important that the Personal data we hold about you is accurate and up to date. Please keep us informed if your Personal data changes by updating your account on the Website. 

SODEXO is committed to ensuring protection of your privacy rights under applicable laws. You will find below a table summarizing your privacy rights under the applicable data protection law, which applies to all Personal data processed on the Website. 

Data Protection right	Description of the right
Right of access and rectification	You can request a copy of the Personal data we hold about you. You may also request the rectification of inaccurate Personal data, or to have incomplete Personal data completed.
Right to erasure	Your right to be forgotten entitles you to request the erasure of your Personal data in cases where: (i) the data is no longer necessary for the purpose for which it was collected; (ii) you choose to withdraw your consent; (iii) you object to the Processing of your Personal data; (iv) your Personal data has been unlawfully processed; (v) there is a legal obligation to erase your Personal data.
Right to restriction of Processing	You may request that Processing of your Personal data be restricted in the cases where: (i) you contest the accuracy of your Personal data; (ii) we no longer need your Personal data for the purposes of the Processing; (iii) you have objected to Processing for legitimate reasons; (iv) the Processing of your Personal data is unlawful and you prefer the restriction of their use instead of their deletion.
Right to data portability	You can request, where applicable, the portability of your Personal data that you have provided to us, in a structured, commonly used, and machine-readable format. You have the right to transmit this data to another Controller without hindrance from us where: a) the Processing of your Personal data is based on consent or on a contract; and b) the Processing is carried out by automated means. You can also request that your Personal data be transmitted to a third party of your choice (where technically feasible).
Right to object to Processing	You may object (i.e., exercise your right to “opt-out”) to the Processing of your Personal data particularly in relation to profiling or to marketing communications. When we process your Personal data on the basis of your consent, you can withdraw your consent at any time.
Right not to be subject to automated decisions	You have the right not to be subject to a decision based solely on automated Processing, including profiling, which has a legal effect on you or significantly affects you.
Right to lodge a complaint	You can choose to lodge a complaint with the data protection authority where you habitually reside. You can also lodge a complaint with the courts in your place of residence.
Right to withdraw consent	If we have collected and processed your Personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any Processing we conducted prior to your withdrawal, nor will it affect the Processing of your Personal data which occurred while relying on a legal basis other than consent.

 

To exercise these rights, you can:

▬ Use the online webform: This electronic system allows you to log in and see the progress of your request, see and send messages and review your documents securely. This system is provided by OneTrust and after making the request you will be sent details about how to log on.
▬ You can also raise queries or complaints with the Group Data Protection Officer, by email to dataprivacy.oss.lu@sodexo.com or by post to the following address: 39, rue du Puits Romain, L-8070 Bertrange, Luxembourg.

No fee usually required:

You will not have to pay a fee to access your Personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal data is not disclosed to any person who has no right to receive it.

For more details, please consult the Global Data Protection Rights Management Policy .

Third party beneficiary rights

If applicable in your country, you can enforce the third-party beneficiary rights afforded to you by the Sodexo BCRs. 

 

How will my Personal data be protected?  

We implement all possible technical and organizational security measures to ensure security and confidentiality in Processing your Personal data.

To this end, we take all necessary precautions, given the nature of the Personal data and the risks related to its Processing, in order to maintain data security and, in particular, to prevent distortion, damage, or unauthorized third-party access (physical protection of the premises, authentication procedures with personal, secured access via identifiers and confidential passwords, a connection log, encryption of certain data, etc.).

In addition, if we contract with Processors for all or part of the Processing of your Personal data, we require a contractual agreement from our service providers to guarantee the security and confidentiality of the Personal data that we transmit to them or that they collect on our behalf, in accordance with the applicable regulations on the protection of Personal data.

We regularly conduct audits to verify the proper operational application of the rules relating to the security of your Personal data.

Nevertheless, you also have a responsibility to ensure the security and confidentiality of your Personal data so we invite you to remain vigilant, especially when using an open system such as the Internet.

 

Links to other sites/platforms 

Occasionally, we provide links to other platforms for practical and informative purposes. These platforms operate independently from our Websites and are not under our control. These platforms have their own privacy policies or terms of use, which we strongly advise you to read. We do not accept any liability with regards to the content on these platforms, for the products and services that may be offered there, or for any other use thereof.

Unsubscribing

If you have unsubscribed to certain services via our Website and you no longer want to receive emails, please consult the “unsubscribe” page corresponding to the Service you are subscribed to or contact us at the following address: CRM_Group@sodexo.com.

 

How will you be notified if the uses of your Personal data change?

We may update or amend this policy as and when needed. In this case, amendments will only become applicable after a period of 30 business days from the date of the amendment. Please consult this page from time to time if you want to be informed of any possible changes.

If you have any questions or comments with regard to this policy, please do not hesitate to contact us at the following address: dataprivacy.oss.lu@sodexo.com.