Fiscal 2020 Universal Registration Document

5. Corporate governance Accountability

In conjunction with the information systems teams, in Fiscal 2018 an inventory was performed of (i) IT applications and (ii) the types of personal data processing, by purpose, carried out by Group entities operating in the European Union and the European Economic Area. This project led to the rollout of the global GDPR compliance program, which notably included the creation of data processing activities records.

This inventory and program rollout exercise was extended to the Asia Pacific region, the United States and Brazil in Fiscal 2019, and to South America, Russia and the Middle East in Fiscal 2020. Sodexo has also decided to submit Binding Corporate Rules to the French supervisory authority for data protection, the National Commission for Information Technology and Civil Liberties (“CNIL”), which Sodexo considers as its competent lead supervisory authority. This is a legal framework proposed in the GDPR that allows multinational companies to submit a binding Code of conduct for data protection. Once approved by the CNIL, this Code will enable Sodexo to even more effectively share common compliance management rules with all Group entities and have a Group-wide data sharing framework. Data sharing

The Group Data Protection Officer has drawn up a best practice code for sharing data as well as template data protection clauses for supplier agreements on processing personal data. These documents have been relayed throughout the network of data protection single points of contact so that ever since Fiscal 2018 all Group entities have been able to apply the same practices where data processing operations are either fully or partially outsourced.

Furthermore, a map of the applicable data protection laws was drawn up in 0 with the aim of providing a clear overall view of the formalities that need to be carried out in each of the countries where Sodexo entities operate, and therefore to prepare for implementing the Group’s Binding Corporate Rules.

The main issues arising in relation to data sharing in Fiscal 2020 concerned Fiscal 202managing and framing transfers of personal data to (i) the United Kingdom, due to the uncertainties caused by Brexit and (ii) the United States, due to the Court of Justice of the European Union’s ruling invalidating the decision adopted by the European Commission in 2016 on the adequacy of the protection provided by the EU-US“Privacy Shield”, which allowed the transfer of data between the European Union and operators in the U.S. that adhere to its data protection principles.(1) Risk management and control
Privacy by design

The Group has tightened its existing procedures by incorporating a review of risks related to privacy and fundamental human rights, based on an automated questionnaire that has to be completed by the internal parties concerned prior to launching projects involving personal data processing. This “Privacy Risk Assessment Questionnaire” enables each data protection team to more efficiently identify the level of risk posed by projects and to decide whether they need to take any compliance measures.

As a result, if a high level of risk is identified and certain criteria are met, an impact assessment can be performed. The impact assessment process was simplified and automated during Fiscal 2020, making easier to assess the risks involved and facilitating contacts with the internal parties concerned.

Privacy by default

A risk assessment is also carried out on Group suppliers before any contracts are signed with them and this process has been automated for global suppliers.

Continuous risk management and regular, targeted controls

A regular monitoring plan has been put in place for the local data protection single points of contact in order to assist them with ongoing compliance management. Sodexo’s entities are also monitored to measure their progress in implementing the Group’s data protection program. This monitoring now includes a “project management” aspect, which provides a full and up-to-date view of the risks related to any non-compliance with the applicable laws and the Group’s policies and procedures concerning data protection.

The following were created in Fiscal 2020: (i) a risks register, designed to more efficiently target data protection internal audits, and (ii) a list of control points, intended to help internal controllers and auditors to better measure how well the data protection program is being implemented.

Managing the Covid-19 crisis also led to issues relating to data protection. The Group Data Protection Officer issued guidelines to ensure that the Group’s practices were consistent for processing personal data relating to (i) workplace health and safety for employees, and (ii) services provided to customers, such as temperature-taking at the entrance to sites.

1 Commission Decision of July 26, 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the U.S. Department of Commerce.