| Pillars of the Global Data Protection Program | Description of key actions implemented |
|---|---|
| Pillars of the Global Data Protection Program
|
Description of key actions implemented Privacy by default A risk assessment is carried out prior to any contracts being signed with suppliers. This assessment of the risks associated with the processing of personal data by Sodexo’s suppliers has been automated and work to integrate the process within the global information system security teams means that a common score can be used for supplier compliance in terms of both the protection of personal data and information security. Continuous risk management and regular, targeted controls Continuous risk management relies on a questionnaire to verify the proper application of the Sodexo Group’s BCR. On an annual basis since Fiscal 2022, local data protection contact points have used this questionnaire to carry out a self-assessment of the compliance with personal data processing procedures implemented by the Group entities within their scope. This self-assessment is then verified by internal control teams. In addition, internal control teams conduct targeted controls of some of the Group entities as necessary. Furthermore, as part of Sodexo’s regulated activities, specific audits have been implemented by the competent authorities in order to confirm proper compliance of the Group entities concerned. Internal control and audit teams receive extra training on the key elements involved in personal data protection, on an annual basis, in order to monitor the effectiveness of the Group’s compliance program and formulate relevant recommendations as effectively as possible. |
| Pillars of the Global Data Protection Program Response protocols in the event of requests by data subjects or personal data breaches |
Description of key actions implemented Response to requests concerning rights regarding data protection The Group’s data protection teams adopt an ongoing process of continuous improvement as regards the procedures for managing requests relating to personal data protection rights (rights of access, rectification or deletion of data, for example). To do this, they rely on recommendations issued by the relevant supervisory authorities and best practices shared by Sodexo’s data protection network. They are required to handle an increasing number of requests from the Group’s consumers and employees in Europe and worldwide, which goes hand in hand with data subjects’ growing awareness of their rights and freedoms under personal data protection regulations. Thanks to the implementation of procedures, and forms, and dedicated teams that have undergone extra training on the topics, all of the requests received have been properly managed. Response to security incidents and personal data breaches To ensure that any security incidents resulting from personal data breaches are properly managed, the Group’s Data Protection Officer and the Group’s Chief Information Security Officer have jointly drafted a Group directive to be adapted locally by all Sodexo entities. The directive sets out the people to contact and the measures to take when a personal data breach is suspected or detected. A dedicated system has also been deployed to deal with any such security incidents even more efficiently and to enable a register of the incidents to be kept. In addition, local data single protection points of contact are provided with regular training in assessing risk on behalf of data subjects. Such training is based on the recommendations of the EDPB, in particular. All Sodexo Group employees have also undergone training to identify potential breaches and incidents that should be reported to incident management teams. The Group Data Protection Officer keeps an overall register of personal data breaches, into which incidents can be entered by the local data protection single points of contact, thanks to a simplified, automated reporting system. During Fiscal 2022 and 2023, the Group organized crisis management exercises involving hypothetical security incidents. The Group’s Data Protection Officer took part in these exercises, which were designed to improve the internal structure of internal crisis cells, their responsiveness, and therefore the effectiveness of the protocol for responding to security incidents and personal data breaches. Cooperation with the data protection authorities Through its hybrid data protection governance, the Sodexo Group maintains relationships of trust and cooperation with other European supervisory authorities, particularly in the context of its management of complaints and requests to exercise rights. |
