Innovation, new technology and data, including personal data, are essential at Sodexo. Wherever we serve our clients and consumers and wherever our employees are located, we make responsible use of data while respecting privacy and the applicable data protection rules.
The table below summarizes the key actions implemented as part of the Global Data Protection Program based on common standards rolled out worldwide, which led to the approval of the Sodexo Group’s Binding Corporate Rules (or BCR).
| Pillars of the Global Data Protection Program | Description of key actions implemented |
|---|---|
| Data protection governance mechanisms | Data protection governance mechanisms Description of key actions implemented• The appointment of a Data Protection Officer and the implementation of a hybrid governance In Fiscal 2018, the Sodexo Group set up an expert team dedicated to data protection (the Global Data Protection Office) with a Data Protection Officer reporting directly to the Group General Counsel. This Data Protection Officer changed during Fiscal 2024. The Group’s Data Protection Officer, with the members of the Global Data Protection Office, as well as a network of around 60 country-level dedicated data protection single points of contact, ensures that the Group respects data protection laws and the Global Data Protection Program. These points of contact are responsible, with the support of local governance bodies, for executing and, if necessary, adapting the compliance program to their specific challenges and issues relative to their respective scopes. In order to ensure better integration of these points of contact and strengthen their expertise, the Global Data Protection Office has created a “Data Protection Academy” which consists of a two-day theoretical and practical training session. Since the GDPR became effective, eight academy training sessions have been held for data protection contact points. Additionally, with a view to ensuring that the personal data protection network stays ahead of the learning curve, that best practices are harmonized and the Group’s data protection policies and procedures are consistently implemented, the network is continuously monitored by the Global Data Protection Office. • Integrated governance with the teams in charge of information security The Group Data Protection Office works closely with other Group Departments, such as the Chief Information Security Officer and the Chief Data Officer. This collaboration has been structured at the Group level from Fiscal 2019 in the form of a Global Cyber-Security and Privacy Review Committee, also comprising the Group General Counsel, the Group Chief Tech, Data and Digital Officer, the Group Internal Control Officer and representatives of the Sodexo Leadership Team. This collaboration has also resulted in the implementation, on the one hand, of integrated processes for project review from the design stage and for supplier review, prior to the contractual phase and, on the other hand, protocols for joint response, especially regarding the management of security incidents and personal data breaches. • Integrated governance with teams responsible for data and technology The Sodexo Group is interested in technological advances, such as generative artificial intelligence, which could potentially improve the daily life of its employees and the consumers that the Group serves. At the same time, in order to maintain discipline regarding our values and responsible business conduct, the Sodexo Group has set up a multidisciplinary Committee to facilitate the analysis of operational initiatives and answer questions efficiently and in compliance with a set of rules of good conduct which is adapted and updated empirically and in compliance with new regulations that are being developed worldwide. |
