Universal Registration Document Fiscal 2025

The appointment of a Data Protection Officer and the implementation of a hybrid governance

Since Fiscal 2018, the Sodexo Group set up an expert team dedicated to data protection (the Global Data Protection Office) with a Group Data Protection Officer reporting directly to the Group General Counsel.

The Group’s Data Protection Officer, with the members of the Global Data Protection Office, as well as a network of around 60 country-level dedicated data protection single points of contact, assists the Group in its compliance with data protection laws and the Global Data Protection Program. These points of contact are responsible in assisting local governance bodies in the execution and, if necessary, the adaptation the compliance program to their specific challenges and issues relative to their respective scopes.

In order to ensure better integration of these points of contact and strengthen their expertise, the Global Data Protection Office has created a “Data Protection Academy” which consists of a two-day theoretical and practical training session. Since the GDPR became effective, eight academy training sessions have been held for data protection contact points. Additionally, with a view to ensuring that the personal data protection network stays ahead of the learning curve, that best practices are harmonized and the Group’s data protection policies and procedures are consistently implemented, the network is continuously monitored by the Global Data Protection Office and the Group Internal Control teams, as described below.

Integrated governance with the teams in charge of information security

The Group Data Protection Office works closely with other Group Departments, such as the Chief Information Security Officer and the Chief Data Officer. This collaboration has been structured at the Group level from Fiscal 2019 in the form of a Global Cyber-Security and Privacy Review Committee, also comprising the Group General Counsel, the Group Chief Tech, Data and Digital Officer, the Group Internal Control Officer and representatives of the Sodexo Leadership Team. This collaboration has also resulted in the implementation, on the one hand, of integrated processes for project review from the design stage and for supplier review, prior to the contractual phase and, on the other hand, protocols for joint response, especially regarding the management of security incidents and personal data breaches.

Integrated governance with teams responsible for data and technology

The Sodexo group is interested in technological advances, such as artificial intelligence, which could potentially improve the daily life of its employees and the consumers that the Group serves. Sodexo Group is aware of the opportunities coming from artificial intelligence, but also the importance of deploying this technology in a compliant and ethic way. So, in order to maintain discipline regarding our values and responsible business conduct, the Sodexo Group has set up a multidisciplinary Committee to facilitate the analysis of operational initiatives and answer questions efficiently and in compliance with a set of rules of good conduct which is adapted and updated empirically and in compliance with new regulations that are being developed worldwide.

Framework for the Global Data Protection Program⁽¹⁾

The Sodexo group Global Data Protection Program is a set of common rules for the Group, drawn up on the basis of the General Data Protection Regulation (GDPR) principles – widely included in most data protection laws outside the European Union – while enabling compliance with specific local legal obligations.

This Global Data Protection Program is the basis of the Sodexo Group’s BCR, which were approved on December 21, 2023, by the French data protection authority (the “CNIL”) acting as the Group’s competent lead authority, as well as its counterparts in the European Union and the European Data Protection Board (EDPB), following collaboration with these authorities for over five years. Sodexo Group’s BCR are a legal tool proposed in the GDPR that allows multinational companies to adopt a binding Code of conduct to effectively apply common data protection compliance management rules and provides a framework for the transfer of personal data within a same group.

A tool for managing compliance with data protection rules

This tool supports the Global Data Protection Program by implementing automated processes to ensure:

• • upkeep and maintenance of data processing records;
  • management and tracking of requests to exercise the rights of data subjects;
  • assessment of the risks to the rights and freedoms of data subjects, from the design stage of projects that involve processing personal data; and
  • IT risk assessment prior to any contracts being signed with suppliers.

Intra-Group data sharing

Sodexo Group’s BCR replaced the Intra-Group Data Processing Agreement (IGDPA), set up during Fiscal 2022, as the legal framework for sharing personal data within the Group. Compliance with the Sodexo Group’s BCR is verified on a yearly basis by the Group Data Protection Office and it has also created a plan of deployment for new entities that want to join this framework.

Data sharing with third parties

A best practice code for data sharing with third parties, drawn up by the Group’s Data Protection Office in Fiscal 2018, made it possible to harmonize practices where data processing operations are either fully or partially outsourced to third parties.

More recently, following the European Court of Justice’s decision in the “Schrems II” case⁽²⁾, Sodexo has developed an automated method of assessing the impact of data transfers on the protection of personal data (Transfer Impact Assessment – TIA) in terms of the rights and freedoms of the individuals concerned. This assessment is performed on the basis of the recommendations published by the EDPB⁽³⁾.

Privacy by design

An End2End Privacy Compliance Process, which comprises various questionnaires for risk assessment and impact analysis, was put in place during Fiscal 2022. This process is summarized in the diagram below:

The starting point for this process continues to be the questionnaire that must be completed for any IT or digital project to identify the risks associated with information security. If internal stakeholders indicate that the project involves the processing of personal data, the data protection teams automatically remain involved in reviewing the project. Data Protection teams are then able to carry out systematic assessments from the project design stage, through a privacy assessment of the impact of personal data processing on the rights and freedoms of the data subjects. If a high risk is identified, they conduct a data protection impact analysis to evaluate the origin, nature, specific features and severity of this risk. Consequently, the data protection teams remain able to determine, from the project design stage or the modification of such projects, the initial measures to be put in place to ensure that this data processing complies with Sodexo’s overall compliance program and the applicable data protection regulations.

This process also gives internal stakeholders greater accountability, and allows other compliance assessments, such as a risk assessment when a supplier is involved, an impact analysis of an international data transfer or an analysis of Sodexo’s legitimate interest, to be conducted automatically.

Privacy by default

A risk assessment is carried out prior to contracts being signed with suppliers.

This assessment of the risks associated with the processing of personal data by Sodexo’s suppliers has been automated and work to integrate the process within the global information system security teams means that a common score can be used for supplier compliance in terms of both the protection of personal data and information security.

Continuous risk management and regular, targeted controls

Continuous risk management relies on a questionnaire to verify the proper application of the Sodexo group’s BCR. On an annual basis since Fiscal 2022, local data protection contact points have used this questionnaire to carry out a self-assessment of the compliance with personal data processing procedures implemented by the Group entities within their scope. This self-assessment is then verified by internal control teams.

In addition, internal control teams conduct targeted controls of some of the Group entities as necessary. Furthermore, as part of Sodexo’s regulated activities, specific audits have been implemented by the competent authorities in order to confirm proper compliance of the Group entities concerned.

Internal control and audit teams receive enhanced training on the key elements involved in personal data protection in order to monitor the effectiveness of the Group’s compliance program and formulate relevant recommendations as effectively as possible.

Response to requests concerning rights regarding data protection

The Group’s data protection teams adopt an ongoing process of continuous improvement as regards the procedures for managing requests relating to personal data protection rights (rights of access, rectification or deletion of data, for example). To do this, they rely on recommendations issued by the relevant supervisory authorities and best practices shared by Sodexo’s data protection network. They are required to handle an increasing number of requests from the Group’s consumers and employees in Europe and worldwide, which goes hand in hand with data subjects’ growing awareness of their rights and freedoms under personal data protection regulations.

Thanks to the implementation of procedures, and forms, and dedicated teams that have undergone extra training on the topics, all of the requests received have been properly managed.

Response to security incidents and personal data breaches

To ensure that any security incidents resulting from personal data breaches are properly managed, the Group’s Data Protection Officer and the Group’s Chief Information Security Officer have jointly drafted a Group directive to be adapted locally by all Sodexo entities. The directive sets out the people to contact and the measures to take when a personal data breach is suspected or detected.

A dedicated system has also been deployed to deal with any such security incidents even more efficiently and to enable a register of the incidents to be kept. In addition, local data single protection points of contact are provided with training in assessing risk on behalf of data subjects. Such training is based on the recommendations of the EDPB, in particular. All connected Sodexo Group employees have also undergone training to identify potential breaches and incidents that should be reported to incident management teams.

The Group Data Protection Office keeps an overall register of personal data breaches, into which incidents can be entered by the local data protection single points of contact, thanks to a simplified, automated reporting system.

Since Fiscal 2022, the Group has organized crisis management exercises involving hypothetical security incidents. The Group’s Data Protection Officer took part in these exercises, which were designed to improve the internal structure of internal crisis cells, their responsiveness, and therefore the effectiveness of the protocol for responding to security incidents and personal data breaches.

Cooperation with the data protection authorities

Through its hybrid data protection governance, the Sodexo Group maintains relationships of trust and cooperation with other European supervisory authorities, particularly in the context of its management of complaints and requests to exercise rights.