In conjunction with the information systems teams, in Fiscal 2018 an inventory was performed of IT applications and personal data processing, by purpose, within the Group entities operating in all the European Economic Area. This inventory was also performed in the other regions of the world where Sodexo operates. In Fiscal 2021, the central and local data protection teams focused on maintaining the processing records.
Sodexo has also decided to submit Binding Corporate Rules to the French supervisory authority for data protection, the National Commission for Information Technology and Civil Liberties (“CNIL”), which Sodexo considers as its competent lead supervisory authority. This is a legal framework proposed in the GDPR that allows multinational companies to submit a binding Code of conduct for data protection. Once approved by the CNIL, this Code will enable Sodexo to even more effectively share common data protection compliance management rules with all Group entities and have a Group-wide data sharing framework. In Fiscal 2021, Sodexo’s draft Binding Corporate Rules reached another milestone in the European data protection authorities' review and approval process. Now that the CNIL has completed its investigation of the draft Rules, they have been sent by the CNIL to the co-examining authorities (Belgium and Spain) for comment. Following this stage, the project will be officially submitted to the European Data Protection Board.
The Group Data Protection Officer has drawn up a Best Practice Code for sharing data as well as template data protection clauses for supplier agreements on processing personal data. Since Fiscal 2018, these documents have allowed all Group entities to apply the same practices where data processing operations are either fully or partially outsourced.
Furthermore, a mapping of the applicable data protection laws was drawn up in Fiscal 2020 with the aim of providing a clear overall view of the formalities that need to be carried out in each of the countries where Sodexo entities operate, and therefore to prepare for implementing the Group’s Binding Corporate Rules.
Fiscal 2021 was marked by the roll-out of an action plan to review and monitor transfers of personal data to countries outside the European Union and the European Economic Area that do not provide an adequate level of protection, following the invalidation by the European Court of Justice of the EU-US Privacy Shield(1) and the publication of recommendations by the European Data Protection Board. In particular, the following actions have been launched: a mapping of intragroup and extragroup personal data flows, awareness-raising among the Group teams in charge of information systems and the security of these systems, the introduction of a questionnaire to analyze the impact of transfers to countries outside the European Economic Area, and the strengthening of standard clauses in agreements with suppliers concerning the processing of personal data.
In Fiscal 2021, procedures to incorporate the review of risks related to privacy and fundamental human rights continued to be rolled out, based on an automated questionnaire that had to be completed by the internal parties concerned prior to launching any IT or digital project involving personal data processing. This “Privacy Risk Assessment Questionnaire” enables each data protection team to more efficiently identify the level of risk raised by projects and to decide whether they need to take any compliance measures. To better support the teams in charge of data protection, using a guide, the Group’s Data Protection Officer and her team have raised awareness among their dedicated local points of contact as to the methodology to be applied to analyze risks and ensure that projects comply with GDPR and applicable data protection laws.
If a high level of risk is identified and certain criteria are met, a full impact assessment is performed through an automated process.
A risk assessment is also carried out on Group suppliers before any contracts are signed with them and this process has been automated for global suppliers.
A regular monitoring plan has been put in place for the local data protection single points of contact in order to assist them with ongoing compliance management. This monitoring now includes a “project management” aspect, which provides a full and up-to-date view of the risks related to any non-compliance with applicable data protection laws and the Group’s policies and procedures concerning data protection.
Fiscal 2021 saw the creation of a self-assessment questionnaire for dedicated data protection points of contact to assess the level of effective implementation of the overall compliance program. This questionnaire is now also used by the internal control teams for the purposes of an annual audit on data protection with a focus on the processing of personal data relating to human resources management for Fiscal 2021. In this context, the internal control and internal audit teams have received comprehensive training on the compliance points to be verified.
The central data protection team has also worked to ensure consistency in the Group’s practices regarding the processing of its employees’ personal data related to occupational health and safety management in the context of the pandemic. The team also performed several compliance audits of certain Group entities.
1 Judgment of the Court of Justice of the European Union of July 16, 2020 in case C-311/18 Data Protection Commissioner/Maximillian Schrems and Facebook Ireland.
