Fiscal 2022 Universal Registration Document

6 CORPORATE GOVERNANCE

The Group DPO keeps an overall register of personal data breaches, into which incidents can now be entered by the local data protection single points of contact, thanks to a simplified, automated reporting system.

During Fiscal 2022, the Group organized a crisis management exercise involving a hypothetical security incident. The Group DPO took part in this exercise, which was designed to improve the structure of internal crisis cells, their responsiveness, and therefore the effectiveness of the protocol for responding to security incidents and personal data breaches.

Cooperation with the data protection authorities

During Fiscal 2022, Sodexo undertook work to harmonize its Binding Corporate Rules with the data protection legislation applicable in the United Kingdom in order to oversee transfers of personal data from Group entities based in the United Kingdom to Group entities located outside the United Kingdom. In this regard, a further submission must therefore be made for the approval of the United Kingdom supervisory authority, the Information Commissioner’s Office (ICO).

Furthermore, during Fiscal 2022, Sodexo continued to cooperate with the other European data protection authorities in the management of complaints and requests to exercise rights, in accordance with the applicable regulations on the protection of personal data.

6.3.5.6 Transparency and awareness-raising
Transparency

The roll out of a user consent and preference management platform prior to the installation of cookies and other trackers on their web browsers or mobile phones continued during Fiscal 2022.

Compliance of the Sodexo group’s websites and applications with the legislation applicable to cookies and other trackers has become an essential requirement for the Group’s Information Security teams responsible for the Data Services Platform.

In addition, Sodexo acted on the various decisions taken by the European data protection authorities in Fiscal 2022 on the use of Google Analytics as an audience measurement tool(4). The Group DPO has therefore worked with the teams responsible for operating the above-mentioned platform in order to identify and roll out appropriate alternative solutions.

Finally, a project was launched to look at using a global consent management tool and several tools are being considered for deployment during the course of next year.

Awareness-raising

Following on the global training program for Sodexo employees on the principles of the GDPR, which began during Fiscal 2019, a new initiative has been launched to implement joint training with the Information Security teams.

In addition, there are plans to roll out a training module during Fiscal 2023 to remind all Group employees about the principles of personal data protection and to raise their awareness of the Sodexo group’s Binding Corporate Rules.

Finally, following the development of the new End2End Privacy Compliance Process by the Group DPO’s team, a guide on using the various automated risk assessment and impact analysis questionnaires has been rolled out to local data protection points of contact and also to internal stakeholders.

(4) Decisions of the Austrian authority dated December 21, 2021 and April 22, 2022; decisions of the French authority dated February 10, 2022 and March 2, 2022. Decision of the Italian authority dated June 23, 2022