Fiscal 2020 Universal Registration Document

5.3.5 Data protection

Respecting privacy and protecting personal data are the responsibility of everyone at Sodexo and form one of the pillars of the Group’s Responsible Business Conduct program.

The Group has been able to strengthen the relationship of trust it has built up with its employees, customers, consumers and shareholders about data protection by appointing a Group Data Protection Officer in Fiscal 2017 (who reports directly to the Group General Counsel), setting up a dedicated data protection team, and rolling out a global data protection program that complies with the General Data Protection Regulation (“GDPR”)⁽¹⁾.

In addition, in view of today’s global regulatory environment in which GDPR principles have been widely taken up in data protection laws outside the European Union – such as the laws recently adopted in Brazil and California and those in the process of being adopted, such as in India and Chile – Sodexo’s decision to have a uniform, Group-wide data protection policy based on GDPR requirements, while also taking into account the legal obligations applicable locally, has proved to be a real commercial asset.

As describe below, in Fiscal 2020, major headway was made in terms of each of the program’s six pillars, with all of the following areas reinforced: governance processes, accountability, the management of personal data transfers, processes and tools for ensuring better risk management and data protection as from the project design stage (“privacy by design”), protocols for responding to requests from data subjects, and transparency and employee awareness-raising.

5.3.5.1 Data protection Governance

A hybrid governance model

The hybrid governance model put in place by Sodexo consists of combining centralized and local governance. The Group Data Protection Officer – who is in charge of ensuring compliance with the applicable laws and the Group’s policies and procedures relating to data protection – has a central team of experts at Group level, which has recently been strengthened by the addition of a project management specialist. She is also assisted by a network of local data protection single points of contact appointed in each of the entities concerned, who provide help and support with implementing the global data protection program through local governance bodies.

In order to ensure that new local data protection single points of contacts are integrated into the network as effectively as possible, the Group has created a Data Protection Academy, which held two training sessions in Fiscal 2020. Additionally, with a view to ensuring that the data protection network stays ahead of the learning curve and that best practices are harmonized and the Group’s data protection policies and procedures are consistently implemented, the Group Data Protection Officer and her central team exercise a continuous oversight role (with quarterly meetings in groups and meetings with the whole network twice a year).

During Fiscal 2020, the monthly reporting system used by the local data protection single points of contact to report certain key indicators, such as the number of requests for access rights, or the number of data protection impact assessments, was simplified and automated. The information reported via this system gives the Group Data Protection Officer an overall view of the situation Group-wide, which she uses as a basis for her quarterly reports to the Group Chief Executive Officer.

A shared governance system

In Fiscal 2019, the Group set up a system for sharing data protection governance with the teams in charge of information systems security. This system was continued in Fiscal 2020 through the following two Committees:

• global Cyber-Security and Data Protection Review Committee, comprising the Global Chief Information Security Officer, the Group Data Protection Officer, the Group General Counsel, the Group Internal Control Officer and seven members of the Executive Committee.
  • The role of this Review Committee, which meets around three times a year, is to (i) approve the strategies and programs drawn up by the Global Chief Information Security Officer and the Group Data Protection Officer, and monitor the implementation of their respective roadmaps, (ii) draw lessons from any major security incidents and data breaches and adjust the corresponding programs where necessary, (iii) review the reports of the internal and external auditors and the responses to be put in place for any identified weaknesses, and (iv) identify any major residual risks for the Group and decide on the appropriate remedial actions. One of the issues covered by the risk assessments performed and reported on to the Committee in Fiscal 2020 by the Group Data Protection Officer and the Global Chief Information Security Officer was the use of personal computers and smartphones for professional purposes (“Bring Your Own Device”);
• Group Compliance Management Committee, comprising the Global Chief Information Security Officer, the Group Data Protection Officer, the Global IT Compliance & Control Director and members of their respective teams at Group level. 
  • This Committee meets on a regular basis and is assisted, when required, by representatives of the Group’s business activities, segments and support functions. Its role is to ensure that the IT-related technical and organizational measures implemented to guarantee security and confidentiality adequately cover data protection risks. In Fiscal 2020, the Compliance Management  Committee 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. focused on the launch of a campaign across all of Sodexo’s entities to raise awareness and provide recommendations to ensure that the Group’s data retention policies are effectively applied.