Innovation, new technology and data, including personal data, are essential at Sodexo. Wherever we serve our clients and consumers and wherever our employees are located, we make responsible use of data while respecting privacy and the applicable data protection rules.
On May 25, 2023, the Sodexo Group celebrated five years of the EU General Data Protection Regulation (GDPR(1)). Over the past five years, we have rolled out a Global Data Protection Program based on common standards worldwide.
The table below summarizes the key actions implemented as part of this program.
| Pillars of the Global Data Protection Program | Description of key actions implemented |
|---|---|
Pillars of the Global Data Protection Program Data protection governance mechanisms |
Description of key actions implemented The appointment of a Data Protection Officer and the implementation of a hybrid governance The Sodexo Group set up a team dedicated to data protection in Fiscal 2017 and a Data Protection Officer reporting directly to the Group General Counsel was appointed in Fiscal 2018. The Group’s Data Protection Officer, who is in charge of ensuring compliance with the applicable laws and the Group’s data protection policies and procedures, has a team of experts at the central level. Together, they make up the Global Data Protection Office. She also relies on a network of around one hundred data protection single points of contact at country level. These points of contact are responsible, with the support of local governance bodies, for executing and, if necessary, adapting the compliance program to their specific challenges and issues relative to their respective scopes. In order to ensure better integration of these points of contact and strengthen their expertise, the Global Data Protection Office has created a “Data Protection Academy” which consists of a two-day theoretical and practical training session. Since the GDPR became effective, eight academy training sessions have been held for data protection contact points. Additionally, with a view to ensuring that the personal data protection network stays ahead of the learning curve, that best practices are harmonized and the Group’s data protection policies and procedures are consistently implemented, the network is continuously monitored by the Data Protection Officer and her central team. Integrated governance with the teams in charge of information security The Group Data Protection Officer and her team work closely with other Group Departments, such as the Chief Information Security Officer and the Chief Data Officer. This collaboration has been structured at the Group level from Fiscal 2019 in the form of a Global Cyber-Security and Privacy Review Committee, also comprising the Group General Counsel, the Group Chief Information Security Officer, the Group Internal Control Officer and several members of the Sodexo Leadership Team. This collaboration has also resulted in the implementation, on the one hand, of integrated processes for project review from the design stage and for supplier review, prior to the contractual phase and, on the other hand, protocols for joint response, especially regarding the management of security incidents and personal data breaches. Integrated governance with teams responsible for data and technology The Sodexo Group is interested in technological advances, such as generative artificial intelligence, which could potentially improve the daily life of its employees and the consumers that the Group serves. At the same time, in order to maintain discipline regarding our values and responsible business conduct, the Sodexo Group has set up a multidisciplinary Committee to facilitate operational initiatives and answer questions efficiently and in compliance with a set of rules of good conduct which is adapted and updated empirically. |
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
