Global Personal Data Protection Policy

Last update: 15th of September 2021

Your privacy is very important to us. We have developed this Data Protection policy applicable in the Grand Duchy of Luxembourg in order for you to understand how we collect, use, and process your Personal Data (the “Policy”). This Policy describes the measures we take to ensure the protection of your Personal Data. We also tell you how you can reach us to answer any questions you may have about data protection.

SCOPE

The Policy applies to the general organization of Sodexo entities (hereinafter designated as “Sodexo”) for all dimensions and activities, in Luxembourg subject to the General Data Protection Regulation (or “GDPR”) and to the Luxembourg regulations of the protection of personal data.

This Policy applies to the Processing of Personal Data collected by Sodexo, directly or indirectly, from all individuals including, but not limited to Sodexo’s current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/Processors, shareholders or any Third parties (hereinafter the “Data Subject”).

WHAT IS THE GDPR?

The General Data Protection Regulation (GDPR) represents the biggest reform of European data protection legislation. It replaced the EU Directive 95/46/EC with a unified framework covering all EU citizens since 25 May 2018.

The GDPR aims to strengthen the protection of personal data of all EU residents, regardless of where it is collected or stored. All companies will therefore have to comply with it, which will have international implications.

COLLECTION AND PROCESSING USE OF YOUR PERSONAL DATA

Compliance with the European data protection law and any additional applicable data protection local law

We are committed to complying with any applicable legislation relating to Personal Data and we shall ensure that Personal Data is collected and processed in accordance with provisions of the European and Luxembourg data protection law and other applicable foreign law, if any.

Lawfulness, fairness and transparency

We do not Process Personal Data without having a lawful reason to do so. We may be required to Process your Personal Data for the purposes of (i) performing a contract to which you are a party; (ii) complying with a legal obligation to which we are subject; (iii) safeguarding your vital interests or those of a Data Subject; (iv) your prior consent to the Processing in question; (v) the legitimate interests pursued by Sodexo, unless your interests or fundamental rights and freedoms prevail; and (vi) the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

When Processing your Personal Data, we will provide you with a fair and full information notice or privacy statement including the following information: who is the Controller of your Personal Data, what are the purposes of the Processing of your Personal Data, what is the legal basis for the Processing, who are the recipients of your Personal Data, what are your rights and how you can exercise them, except where this would be impossible or would require disproportionate efforts.

When required by applicable law, we will seek your prior consent (e.g. before collecting particular categories of (so-called “sensitive”) Personal Data).

Legitimate Purpose, Limitation and data minimization

Your Personal Data is collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes.

When Sodexo acts for its own purposes, your Personal Data is Processed mainly for, but not limited to, the following purposes: recruitment management, administrative and social management and organisation of the work of our employees, accounting and financial management and related controls and reporting, finance, treasury and tax management, risk management, management of employees’ safety, provision of active directory, IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management, including infrastructure management, systems management, applications, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering obligations or any other legal requirements, data analytics operations, legal corporate management and implementation of compliance processes.

Data accuracy and storage limitation

Sodexo will keep Personal Data that is Processed accurate and, where necessary, up to date.  Also, we will only retain Personal Data for as long as necessary for the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements and, where required for Sodexo to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. If you want to learn more about our specific retention periods for your Personal Data established in our retention policy you may contact us at privacy.svc.lu@sodexo.com.

Upon expiry of the applicable retention period we will securely destroy your personal data in accordance with applicable laws and regulations.

SECUTITY OF YOUR PERSONAL DATA

We implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with our Group Information and Systems Security Policy.

We take, when appropriate, all reasonable measures based on Privacy by design and Privacy by default principles to implement the necessary safeguards and protect the Processing of Personal Data. We also carry out, depending on the level of risk raised by the Processing, a Privacy impact assessment (“PIA”) to adopt appropriate safeguards and ensure the protection of the Personal Data. We also provide additional security safeguards for data considered to be Sensitive Personal Data.

SHARING OF YOUR PERSONAL DATA

We share your Personal Data, in the following circumstances:

  • with Sodexo entities for the purposes described in this Policy;
  • with Third parties including certain service providers we have retained in connection with the purposes described in this policy and the services we provide;
  • with companies providing services for money laundering and terrorist financing checks and other fraud and crime prevention purposes and companies providing similar services, including financial institutions and regulatory bodies with whom such Personal Data is shared;
  • with courts, law enforcement authorities, regulators, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defense of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;
  • with service providers who we engage within or outside of Sodexo, domestically or abroad, e.g. shared service centers, to Process Personal Data for any of the purposes listed above on our behalf and in accordance with our instructions only;
  • if we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets in order to transfer by legal effect, assign or novate rights or obligations to them.

All sharing of Personal Data is done in compliance with the applicable legal and regulatory provisions and under contracts that comply with the provisions of the GDPR, in particular with regard to Processors of Personal Data.

INTERNATIONAL PERSONAL DATA TRANSFERS

The GDPR does not allow the transfer of Personal Data to Third countries outside EEA that do not ensure an adequate level of data protection. Some of the Third countries in which Sodexo operates do not provide the same level of data protection as the country in which you reside and are not recognized by the European Commission as providing an adequate level of protection for individuals’ data privacy rights.

For transfers of your Personal Data to such countries, either to entities within or outside Sodexo, Sodexo has put in place an adequate safeguard to protect your Personal Data. You will be provided with more information about any transfer of your Personal Data outside of Europe at the time of the collection of your Personal Data through appropriate privacy statements.

For further information, including obtaining a copy of the documents used to protect your information, please contact us at privacy.svc.lu@sodexo.com.

COOKIES

Some of our websites may use “cookies.” Cookies are portions of text that are placed on your computer’s hard drive when you visit certain websites. For instance, we may use necessary cookies, which held make our websites usable by enabling basic functions such as page navigation and access to secure areas of our websites, to ensure that your visit to our site runs smoothly. We may also use preference cookies to ensure that we offer you options that suit your preferences the next time you visit our website.

We may also use statistical and marketing cookies to analyse traffic and for advertising purposes.

Cookies may enhance your online experience by saving your preferences while you are visiting one of our websites. In this case, we will let you know about the types of cookies we use and how to disable such cookies. You will have the ability to visit our websites and refuse the use of cookies at any time on your computer. For more details, please consult our Cookies Policy.

YOUR RIGHTS

Sodexo is committed to ensure protection of your rights under applicable laws. You will find below a table summarizing your different rights:

Right of access and rectification You can request a copy of the Personal Data we hold about you. You may also request rectification of inaccurate Personal Data, or to have incomplete Personal Data completed.
Right to erasure Your right to be forgotten entitles you to request the erasure of your Personal Data in cases where:

(i)               the data is no longer necessary for the purpose for which it was collected;

(ii)              you choose to withdraw your consent;

(iii)             you object to the Processing of your Personal Data;

(iv)             your Personal Data has been unlawfully Processed;

(v)              there is a legal obligation to erase your Personal Data;

 

Right to restriction of Processing You may request that Processing of your Personal Data be restricted in the cases where:

(i)               you contest the accuracy of your Personal Data;

(ii)              Sodexo no longer needs your Personal Data for the purposes of the Processing;

(iii)             you have objected to Processing for legitimate reasons.

Right to data portability You can request, where applicable, the portability of your Personal Data that you have provided to Sodexo, in a structured, commonly used, and machine-readable format you have the right to transmit this data to another Controller without hindrance from Sodexo where:

(a)        the Processing of your Personal Data is based on consent or on a contract; and

(b)        the Processing is carried out by automated means.

You can also request that your Personal Data be transmitted to a Third party of your choice (where technically feasible).

Right to object to Processing You may object (i.e. exercise your right to “opt-out”) to the Processing of your Personal Data particularly in relation to profiling or to marketing communications. When we Process your Personal Data on the basis of your consent, you can withdraw your consent at any time.
Right not to be subject to automated decisions

 

You have the right not to be subject to a decision based solely on automated Processing, including profiling, which has a legal affect upon you or significantly affects you.
Right to lodge a complaint You can choose to lodge a Complaint with the Data Protection Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages. Personal Data. In the Grand Duchy of Luxembourg, the supervisory authority is the CNPD (Commission Nationale pour la Protection des Données)

You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence.

 

 

To exercise these rights, you can either send your Request to the generic email address as indicated in the privacy notices and/or the privacy policies provided to you at the time of the collection of your Personal Data and/or your Luxembourg Data Protection Officer at privacy.svc.lu@sodexo.com and/or to the Group Data Protection Officer at dpo.group@sodexo.com.

CHILDREN

Children merit specific protection with regard to their Personal Data, as they are less aware of the risks, consequences and safeguards concerned and their rights in relation to the Processing of Personal Data. Such specific protection should, in particular, apply to the Processing of Personal Data of children for the purposes of marketing or creating personality or user profiles and the collection of Personal Data with regard to children when using services offered directly to a child.

We do not collect and Process Children’s Personal Data without the consent of the holder of parental responsibility where required. In particular, we do not promote or market our services to Children, except for specific services and upon the consent of the holder of parental responsibility. If you believe that we have mistakenly collected a Children’s Personal Data, please notify us using the contact details provided below.

UPDATE

We may update this Policy from time to time as our business changes or legal requirements change. If we make any significant changes to this Policy, we will post a notice on our website when the changes go into effect, and where appropriate, send a direct communication to you about the change.

CONTACT US

If you have questions, comments and requests regarding this policy  you can send address them to your Luxembourg Data Protection Officer at privacy.svc.lu@sodexo.com and/or to the Group Data Protection Officer at dpo.group@sodexo.com or send a letter to Sodexo SA, Group Data Protection Officer, 255 quai de la bataille de Stalingrad, 92130 Issy-les-Moulineaux, France

DEFINITIONS

Controller means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

CNPD means the Luxembourg Data Protection Supervisory Authority.

Data Subject means any identified or identifiable natural person whose Personal Data is subject to Processing.

European data protection law or General Data Protection Regulation or GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.

Group Data Protection Officer means the person appointed with the approval of the Sodexo Group Executive Committee to be responsible for matters relating to the confidentiality of Personal Data at the Sodexo Group level.

Luxembourg Data Protection Officer means the person appointed with the approval of the Executive Committee of the Sodexo Group to be responsible for matters relating to the confidentiality of Personal Data concerning SODEXO LUXEMBOURG. The Luxembourg Data Protection Officer is part of Sodexo’s global Personal Data Protection network.

Personal Data means all personal data communicated by the Controller and/or collected directly or indirectly from the Data Subjects. Information relating to an identified or identifiable natural person is considered to be Personal Data under the Personal Data Protection Regulations. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processed, Processing or Processing of Personal Data means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor means the person or body that Processes or subcontracts the Personal Data on behalf of the Controller and in accordance with its instructions.

Sensitive Personal Data designated as “Special Categories of Data” under the GDPR means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. This definition includes also Personal Data relating to criminal convictions and offences.

Sodexo Group means any entity controlled under the conditions provided for by law, directly or indirectly, by Sodexo S.A., a French public company limited by shares (société anonyme), with registered office at 255, Quai de la Bataille de Stalingrad – 92130 Issy-les-Moulineaux, registered with the Trade and Companies register of Nanterre under number 301 940 219.

Supervisory Authority means an independent public authority which is established by a Member State as specified in the GDPR.

Third country(ies) means any country, territory or defined sector in that country, outside the European Union (EU) and the European Economic Area (EEA).

Third party(ies) means any company or entity other than the Controller, the Processor and the Data Subject which, under the direct authority of the Controller or the Processor, is authorised to Process the Personal Data.