Universal Registration Document Fiscal 2025

2 Sustainability at Sodexo

Consumer Data Privacy and Protection [S4-1, S4-2, S4-3, S4-4]

To deliver its services, Sodexo relies on technologies that may involve the processing of client and end-user personal data, including employees of client companies, students, patients, or direct consumers of Sodexo Live!. Such use and processing can affect the privacy and professional life of these individuals.

Whether Sodexo processes personal data on behalf of clients as a data processor, or for its own purposes as a data controller, the Group applies consistent global measures, procedures, and policies.

STRATEGY

To ensure the responsible use of personal data in full respect of applicable privacy and data protection legal requirements, Sodexo has implemented a global data protection compliance program (see description of the global program in section 6.5 of this document).

This program has been recognized by the European data protection authorities through the validation of Sodexo’s Binding Corporate Rules (BCR), which describe the procedures and policies deployed across all Group entities, strengthening Sodexo’s commitment to protecting user's personal data.

GOVERNANCE

To ensure the effective implementation of the global data protection compliance program, dedicated governance has been established at both Group and country levels. This governance, detailed in the following diagram, ensures the program’s global deployment across all levels and activities of the Group.

Group data protection governance structure and compliance program

  1. Leadership
    • Sodexo Executive Committee.
    • Group Data Protection Officer.
  2. Program foundation Group Data Protection Compliance Program.
    • Binding Corporate Rules. Controller and processor.
    • Standards:
      • GDPR (General Data Protection Regulation).
      • UK GDPR.
      • CCPA (California Consumer Privacy Act).
      • ISO/IEC 17701.
  3. Key elements of the program
    • Governance.
      • Local data-protection contact points.
      • Data-protection network (by function and by country).
    • Policies and procedures.
      • End-to-end data-protection compliance processes.
      • Deployed by data-protection teams. Includes policies deployed by specialized teams, including Group cybersecurity and IT.
    • Audit & Internal Control.
      • Level 1 – Self-assessment.
      • Level 2 – Data Protection Officer and Internal Control.
      • Level 3 – Group Internal Audit.
POLICIES AND ACTIONS

Sodexo is committed to complying with laws that may require a higher level of protection than that defined in the global data protection compliance program, and therefore adapts its analyses and requirements to these regulations.

The data protection program includes an end-to-end privacy compliance process, through which IT or digital projects involving the processing of users’ personal data are reviewed by different stakeholders. This analysis covers, in particular, information on the type of personal data processed, retention periods, security measures, and compliance with regulatory principles. This process is illustrated in the diagram presented in section 6.5 of this document.

Through the deployment of the global data protection compliance program, the Global Data Protection Office works closely with many Group functions, enabling the implementation of:

  • clear and comprehensive policies, accessible at all times on our websites or applications and regularly updated, providing users with full information on how their data is processed by Sodexo, either on its own behalf or on behalf of its clients;
  • an oversight of personal data processing by Sodexo service providers, ensuring that users' data is protected in the same way as if Sodexo were processing it directly, or in accordance with Sodexo clients’ instructions;
  • the possibility for users to opt out of personal data processing, leading to the deletion of their data by Sodexo. For example, in the case of customer satisfaction surveys sent by Sodexo, a privacy notice is provided and an unsubscribe link is included in the email;
  • technical and organizational security measures adapted to the types of personal data processed, defined in collaboration with Sodexo’s information security teams or in line with client instructions when the client is the data controller;
  • policies, procedures, and templates dedicated to managing potential data breaches, ensuring the involvement of all relevant stakeholders, the rapid collection of all necessary information, and the swift resolution of incidents. In addition, the Group regularly conducts drills to ensure the effective application of these policies and procedures, as well as the preparedness and responsiveness of its' teams.
  • Therefore, Sodexo has deployed a minimum base of training that should be passed by all Sodexo employees having access to personal data. Sodexo also aims to provide clear, comprehensive and updated information to all consumers regarding the processing of their data by Sodexo, by updating its’ privacy policies online.