| Pillars of the Global Data Protection Program | Description of key actions implemented |
|---|---|
| Actions related to accountability | Actions related to accountabilityDescription of key actions implementedFramework for the Global Data Protection Program(1) The Sodexo Group Global Data Protection Program is a set of common rules for the Group - drawn up on the basis of the General Data Protection Regulation (GDPR) principles, widely included in most data protection laws outside the European Union - while enabling compliance with specific local legal obligations. This Global Data Protection Program is the basis of the Sodexo Group’s BCR, which were approved on December 21, 2023, by the French data protection authority (the "CNIL") acting as the Group’s competent lead authority, as well as its counterparts in the European Union as well as the European Data Protection Board (EDPB), following collaboration with these authorities for over five years. Sodexo Group’s BCR are a legal tool proposed in the GDPR that allows multinational companies to adopt a binding Code of conduct to effectively apply common data protection compliance management rules and provides a framework for the transfer of personal data within a same group. A tool for managing compliance with data protection rules This tool supports the Global Data Protection Program by implementing automated processes to ensure:
|
| Data sharing | Data sharing Description of key actions implementedIntra-Group data sharing Sodexo Group’s BCR are gradually replacing the Intra-Group Data Processing Agreement (IGDPA), set up during Fiscal 2022, as the legal framework for sharing personal data within the Group. Data sharing with third parties A best practice Code for data sharing with third parties, drawn up by the Group’s Data Protection Office in Fiscal 2018, made it possible to harmonize practices where data processing operations are either fully or partially outsourced to third parties. More recently, following the European Court of Justice’s decision in the “Schrems II” case(2), Sodexo has developed an automated method of assessing the impact of data transfers on the protection of personal data (Transfer Impact Assessment – TIA) in terms of the rights and freedoms of the individuals concerned. This assessment is performed on the basis of the recommendations published by the EDPB(3). |
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
(2) Judgment of the Court (Grand Chamber) of July 16, 2020 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems – C-311/2018, annulling the Privacy Shield adequacy decision (Commission Decision of July 26, 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the U.S. Department of Commerce).
(3) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data adopted on June 18, 2021.
