Respecting privacy and protecting personal data are the responsibility of everyone at Sodexo and form one of the pillars of the Group’s Responsible Business Conduct program.
For several years, the Group has been able to strengthen the trust of its employees, clients, consumers and shareholders with regard to data protection through several actions:
Furthermore, Sodexo decided to apply the same level of protection to personal data across the Group, based on GDPR requirements, while at the same time incorporating specific local legal obligations. This choice, made in a global regulatory environment where GDPR principles are broadly reflected in the majority of data protection legislation outside the European Union, is now proving a real commercial advantage.
During Fiscal 2022, new actions were taken in each of the program’s six pillars. These actions were aimed at strengthening governance mechanisms (6.3.5.1), actions relating to responsibility (or accountability) (6.3.5.2), the framework for sharing personal data (6.3.5.3), processes and tools to improve risk management and to protect personal data from the project design stage (privacy by design) (6.3.5.4), response protocols for requests made by data subjects (6.3.5.5), as well as transparency and awareness-raising among employees (6.3.5.6).
The hybrid governance model put in place by Sodexo consists of combining centralized and local governance. The Group DPO, who is in charge of ensuring compliance with the applicable laws and the Group’s data protection policies and procedures, now has a team of experts at Group level. She relies on a network of local data protection points of contact in each relevant Group entity, who assist with implementing the global data protection program with the support of local governance committees, adapting it to local conditions, if required.
A Data Protection Academy has been founded to enhance the integration of these new local points of contact and to strengthen their level of expertise. During Fiscal 2022, a Data Protection Academy was held to integrate local data protection contact points in Asia (AMETA) in particular. Additionally, with a view to ensuring that the personal data protection network stays ahead of the learning curve, that best practices are harmonized and the Group’s data protection policies and procedures are consistently implemented, the network is continuously monitored and trained by the Group DPO and her central team. A local governance procedure template has also been shared with the network so that the organization and operation of local governance bodies can be documented in a uniform manner.
The Group-wide system set up from Fiscal 2019 to share data protection governance with the various business lines, particularly the teams responsible for information security and the Group’s compliance teams, was continued this fiscal year through regular meetings in its respective bodies:
In order to provide adequate safeguards regarding the transfer of personal data within the Group, Sodexo has decided to submit Binding Corporate Rules to the French supervisory authority for data protection, the National commission for information technology and civil liberties (CNIL), the Group’s competent lead authority. This is a legal framework proposed in the GDPR that allows multinational companies to adopt a binding Code of conduct to effectively apply common data protection compliance management rules and provides a framework for the transfer of personal data within groups. The procedure for approving these Binding Corporate Rules continued throughout Fiscal 2022 and, after several years of discussion with the CNIL, Sodexo’s submission is now at the final validation stage before the European Data Protection Board (EDPB).
Pending this approval, Sodexo rolled out an Intra-Group Data Processing Agreement (IGDPA) across the entire Group. This document was drafted using the Standard Contractual Clauses (SCCs) published by the European Commission on June 4, 2021 and imposes a contractual requirement upon Group entities to comply with the main principles and obligations for protecting personal data provided for by the GDPR.
Finally, following the European Court of Justice’s decision in the “Schrems II” case(2), Sodexo has developed an automated method of assessing the impact of data transfers on the protection of personal data (Transfer Impact Assessment - TIA) in terms of the rights and freedoms of the individuals concerned. This assessment is carried out on the basis of the recommendations published by the EDPB(3) and may lead to the roll out of additional technical and organizational measures, if necessary, with the support of global Information Security teams.
