| Pillars of the Global Data Protection Program | Description of key actions implemented |
|---|---|
| Actions related to accountability | Actions related to accountability Description of key actions implemented Framework for the Global Data Protection Program In a global regulatory context where GDPR principles are widely included in most data protection laws outside the European Union, the Sodexo Group has decided to apply the same level of protection to personal data across the Group, based on GDPR requirements, while at the same time incorporating specific local legal obligations. This choice led to Sodexo submitting a Binding Corporate Rules (BCR) application to the CNIL, the French data protection authority and the Group’s competent lead authority. This is a legal framework proposed in the GDPR that allows multinational companies to adopt a binding Code of conduct to effectively apply common data protection compliance management rules and provides a framework for the transfer of personal data within a same group. After several years of discussion with the CNIL as well as other European Union supervisory authorities, such as the European Data Protection Board (EDPB), the Sodexo Group’s application has now been formally approved. A tool for managing compliance with data protection rules The Sodexo Group has been using a tool for managing compliance since Fiscal 2018. This tool supports the Global Data Protection Program by implementing automated processes to ensure:
|
| Data sharing | Data sharing Description of key actions implemented Intra-Group data sharing Pending formal approval of its BCR by the CNIL, the Sodexo Group rolled out an Intra-Group Data Processing Agreement (IGDPA). This document includes the Standard Contractual Clauses (SCC) published by the European Commission on June 4, 2021. It imposes a contractual requirement upon Group entities to comply with the main principles and obligations for protecting personal data as provided for by the GDPR. In advance of the rollout of the Sodexo Group’s BCR, the applicable personal data protection laws were mapped in Fiscal 2020 in order to have a clear view of the formalities to be completed. In addition, this map, as well as an inventory of the data localization obligations applicable in certain countries, was updated in Fiscal 2022. Data sharing with third parties A best practice Code for data sharing with third parties was drawn up by the Group’s Data Protection Officer in Fiscal 2018 in order to apply the same practices where data processing operations are either fully or partially outsourced to third parties. More recently, following the European Court of Justice’s decision in the “Schrems II” case(1), Sodexo has developed an automated method of assessing the impact of data transfers on the protection of personal data (Transfer Impact Assessment – TIA) in terms of the rights and freedoms of the individuals concerned. This assessment is performed on the basis of the recommendations published by the EDPB(2). |
(1) Judgment of the Court (Grand Chamber) of July 16, 2020 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems – C-311/2018, annulling the Privacy Shield adequacy decision (Commission Decision of July 26, 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the U.S. Department of Commerce).
(2) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data adopted on June 18, 2021.
