Fiscal 2022 Universal Registration Document

6.3.5 Data Protection

6.3 Other information

6.3.5 Data Protection

6.3.5 Data Protection

Respecting privacy and protecting personal data are the responsibility of everyone at Sodexo and form one of the pillars of the Group’s Responsible Business Conduct program.

For several years, the Group has been able to strengthen the trust of its employees, clients, consumers and shareholders with regard to data protection through several actions:

  • appointing a Group Data Protection Officer (hereafter “Group DPO”) in Fiscal 2017, reporting directly to the Group General Counsel;
  • setting up a dedicated data protection team and a global network of dedicated points of contact; and
  • rolling out a global data protection program that complies with the EU General Data Protection Regulation (GDPR(1)).

Furthermore, Sodexo decided to apply the same level of protection to personal data across the Group, based on GDPR requirements, while at the same time incorporating specific local legal obligations. This choice, made in a global regulatory environment where GDPR principles are broadly reflected in the majority of data protection legislation outside the European Union, is now proving a real commercial advantage.

During Fiscal 2022, new actions were taken in each of the program’s six pillars. These actions were aimed at strengthening governance mechanisms (6.3.5.1), actions relating to responsibility (or accountability) (6.3.5.2), the framework for sharing personal data (6.3.5.3), processes and tools to improve risk management and to protect personal data from the project design stage (privacy by design) (6.3.5.4), response protocols for requests made by data subjects (6.3.5.5), as well as transparency and awareness-raising among employees (6.3.5.6).

6.3.5.1 Data Protection Governance

The hybrid governance model put in place by Sodexo consists of combining centralized and local governance. The Group DPO, who is in charge of ensuring compliance with the applicable laws and the Group’s data protection policies and procedures, now has a team of experts at Group level. She relies on a network of local data protection points of contact in each relevant Group entity, who assist with implementing the global data protection program with the support of local governance committees, adapting it to local conditions, if required.

A Data Protection Academy has been founded to enhance the integration of these new local points of contact and to strengthen their level of expertise. During Fiscal 2022, a Data Protection Academy was held to integrate local data protection contact points in Asia (AMETA) in particular. Additionally, with a view to ensuring that the personal data protection network stays ahead of the learning curve, that best practices are harmonized and the Group’s data protection policies and procedures are consistently implemented, the network is continuously monitored and trained by the Group DPO and her central team. A local governance procedure template has also been shared with the network so that the organization and operation of local governance bodies can be documented in a uniform manner.

The Group-wide system set up from Fiscal 2019 to share data protection governance with the various business lines, particularly the teams responsible for information security and the Group’s compliance teams, was continued this fiscal year through regular meetings in its respective bodies:

  • Global Cyber-Security and Privacy Review Committee, comprising the Global Chief Information Security Officer, the Group DPO, the Group General Counsel, the Group Internal Control Officer and seven members of the Group Executive Committee;
  • Group Compliance Management Committee, comprising the Global Quality, Performance and Information Systems Governance Officer, the Group DPO and members of their respective teams at Group level.
6.3.5.2 Accountability

In order to provide adequate safeguards regarding the transfer of personal data within the Group, Sodexo has decided to submit Binding Corporate Rules to the French supervisory authority for data protection, the National commission for information technology and civil liberties (CNIL), the Group’s competent lead authority. This is a legal framework proposed in the GDPR that allows multinational companies to adopt a binding Code of conduct to effectively apply common data protection compliance management rules and provides a framework for the transfer of personal data within groups. The procedure for approving these Binding Corporate Rules continued throughout Fiscal 2022 and, after several years of discussion with the CNIL, Sodexo’s submission is now at the final validation stage before the European Data Protection Board (EDPB).

Pending this approval, Sodexo rolled out an Intra-Group Data Processing Agreement (IGDPA) across the entire Group. This document was drafted using the Standard Contractual Clauses (SCCs) published by the European Commission on June 4, 2021 and imposes a contractual requirement upon Group entities to comply with the main principles and obligations for protecting personal data provided for by the GDPR.

Finally, following the European Court of Justice’s decision in the “Schrems II” case(2), Sodexo has developed an automated method of assessing the impact of data transfers on the protection of personal data (Transfer Impact Assessment - TIA) in terms of the rights and freedoms of the individuals concerned. This assessment is carried out on the basis of the recommendations published by the EDPB(3) and may lead to the roll out of additional technical and organizational measures, if necessary, with the support of global Information Security teams.

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  2. Judgment of the Court (Grand Chamber) of July 16, 2020 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems – C-311/2018, annulling the Privacy Shield adequacy decision (Commission Decision of July 26, 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the U.S. Department of Commerce).
  3. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data adopted on June 18, 2021