Fiscal 2020 Universal Registration Document

5. Corporate governance

5.3.5.5 Response protocols and execution measures
Response to requests concerning rights regarding data protection

During Fiscal 2020, the Group carried out in-depth work on updating its policy and procedure for managing requests concerning data subjects access rights (right of access, right of rectification, etc.) and on digitalizing the procedures for managing the exercise of these rights (online form, a system enabling requests to be more effectively tracked, etc.).

Response to security incidents and personal data breaches

To ensure that any security incidents resulting from personal data breaches are properly managed, the Group Data Protection Officer and the Global Chief Information Systems Security Officer have jointly drafted a Group directive to be adapted locally by all of the Sodexo entities. A dedicated system has also been deployed in order to deal with any such security incidents even more efficiently and to enable a register of the incidents to be kept. Training has been given to the local data protection single points of contact to help them with assessing the risks for data subjects when security incidents take place.

The Group Data Protection Officer keeps an overall register of personal data breaches, into which incidents can now be entered thanks to a simplified, automated reporting system through which the local data protection single points of contact can easily report any personal data breaches.

Cooperation with the data protection authorities

In Fiscal 2020, Sodexo’s French Foodservices operations were audited by France’s supervisory authority for data protection, the CNIL. This audit was carried out as part of the annual program implemented by the CNIL, which in 2018 announced that it would be paying special attention to how service providers process personal data on behalf of data controllers. The CNIL found that Sodexo has shown a good level of maturity in applying the new legal framework with respect to the personal data processing it carries out as a data processor for its customers. As a result, it decided to close the audit procedure.

5.3.5.6 Transparency and awareness-raising
Transparency

The Group’s work on transparency during Fiscal 2020 included updating its notification templates and confidentiality policies, especially those intended for Group employees but also those including necessary information related to cookies.

A system designed to record user consent and preferences prior to the installation of cookies has been chosen and will be deployed during Fiscal 2021 on all of the websites and apps of the Sodexo entities concerned.

Awareness-raising

As an extension to the global GDPR training program set up in Fiscal 2019 for Sodexo employees, the Group has launched a new practical worldwide campaign, based on ten golden rules with a logo, graphic identity and the slogan “We believe in privacy”. Designed in a fun and engaging way, this campaign has stepped up Sodexo’s drive to raise employee awareness about confidentiality and data protection.

A training module will be launched in Fiscal 2021 to remind all of the Group’s employees about data protection principles.