Respecting privacy and protecting personal data are the responsibility of everyone at Sodexo and form one of the pillars of the Group’s Responsible Business Conduct program.
The Group has been able to strengthen the trust built up with its employees, customers, consumers and shareholders about data protection by appointing a Group Data Protection Officer in Fiscal 2017, reporting directly to the Group General Counsel, setting up a dedicated data protection team, and rolling out a global data protection program that complies with the General Data Protection Regulation (“GDPR”)1 and the other applicable data protection laws.
During Fiscal 2021, new actions were taken in each of the program’s six pillars. These new actions are detailed below.
A hybrid governance model
The hybrid governance model put in place by Sodexo consists of combining centralized and local governance.
Centralized governance relies on the Group Data Protection Officer – who is in charge of ensuring compliance with the applicable laws and the Group’s data protection policies and procedures – as well as a team of experts, with the support of a project management specialist.
Local governance relies on a network of points of contact or local data protection officers dedicated to data protection in each of the entities concerned, who are in charge of implementing the global data protection program through regional or local governance committees .
In Fiscal 2021, the system of monthly reporting by the local points of contact or data protection officers to the Group Data Protection Officer was strengthened with a larger number of metrics (for example: number of requests to exercise data subjects' rights, number of data protection impact assessments, number of data protection trainings conducted locally, number of personal data breaches, number of complaints from supervisory authorities, etc.). The reported information gives the Group Data Protection Officer an overall view of the situation Group-wide, which she uses as a basis for her quarterly reports to the Group Chief Executive Officer.
The Group-wide system set up over previous years to share data protection governance with the teams in charge of information systems security was continued in Fiscal 2021 through the following Committees:
The role of this Review Committee, which meets around three times a year, is to (i) approve the strategies and programs drawn up by the Global Chief Information Security Officer and the Group Data Protection Officer, and monitor the implementation of their respective roadmaps, (ii) draw lessons from any major security incidents and personal data breaches and adjust the corresponding programs where necessary, (iii) review the reports of the internal and external auditors and the responses to be put in place for any identified weaknesses, and (iv) identify any major residual risks for the Group and decide on the appropriate remedial actions. During Fiscal 2021, the Review Committee met three times. In addition to the review of the main projects and initiatives in the area of cybersecurity and data protection, the work carried out within the framework of domain name governance was presented to the Committee;
This Committee meets on a regular basis and is assisted, when required, by representatives of the Group’s business activities, segments and support functions. Its role is to ensure that the IT-related technical and organizational measures implemented to guarantee security and confidentiality adequately cover data protection risks. The Committee focused on the following topics in particular in Fiscal 2021: monitoring the awareness campaign and recommendations designed to ensure effective application of personal data retention policies, ensuring compliance of personal data processing at Group level and managing personal data transfers outside the European Economic Area following the decision of the Court of Justice of the European Union invalidating the EU-US Privacy Shield2. This Committee met nine times in Fiscal 2021.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2 Judgment of the Court of Justice of the European Union of July 16, 2020 in case C-311/18 Data Protection Commissioner/Maximillian Schrems and Facebook Ireland.
