Privacy policy

Sodexo Group builds strong and lasting relationships based on mutual trust with its clients, partners, customers, and employees: it is an absolute priority for Sodexo Group to ensure the latter's personal data remains safe and confidential. 

Sodexo Group complies with all French and European regulations and legislation governing the protection of personal data.


Sodexo Group enforces an extremely strict privacy policy to ensure the personal data of those who use its websites and other applications is well protected:

•    Each user remains in control of their own data, which is processed in a transparent, confidential and secure manner
•    Sodexo Group is committed to an ongoing approach to protect users' personal data, in compliance with the French Data Protection Act of 6 January 1978 as amended (hereinafter "DPA"), and the EU General Data Protection Regulation of 27 April 2016 (hereinafter "GDPR").
•    Sodexo Group has a team dedicated to personal data protection, consisting of a Group Data Protection Officer registered with the CNIL (French Data Protection Agency) as well as a network of contact persons dedicated to personal data protection.


DEFINITIONS:

" Personal data "    means any information relating to an identified or identifiable natural person; an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifying factor, such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (hereinafter referred to as the "Data Subject") 

"Us" or "our"     refers to the entity within Sodexo Group that processes Personal Data

"Data controller"     means the natural person or legal entity which determines the purposes and means of the processing of personal data

"Services"    means the services offered on the Portal and/or at one of our establishments

"Data processor "    means a natural person or legal entity which processes Personal Data on behalf of the Controller

"You"     means any user/visitor of the Portal.

"Portal"    means this website and/or, where applicable, mobile application, and any sub-sites, mirror sites, portals, URL variations thereof, if applicable. 


PURPOSE OF THIS POLICY:

Sodexo takes protection of your Personal Data very seriously. 

We have developed this policy to inform you of the conditions under which we collect, process, use and protect your Personal Data. Please read it carefully so that you know what categories of Personal Data we collect and process, how we use it, and with whom we might share it. This policy also describes your rights and how you can contact us to exercise these rights or to ask any questions you may have about your Personal Data.

This Policy may be amended, added to, or updated in order to comply with any legal, regulatory, case law or technical developments that may arise. However, your Personal Data will always be processed pursuant to the policy prevailing at the time of data collection, unless official legal regulations stipulate otherwise and are enforced retroactively.

This policy forms an integral part of the Portal's General Terms and Conditions of Use.


IDENTITY AND CONTACT DETAILS OF THE CONTROLLER

The entity responsible for processing Personal Data is UMANIS, a simplified joint stock company with a capital of €400,000, whose registered office is located at 30, Cours de l'Ile Seguin - 92777 Boulogne-Billancourt Cedex, registered in the Trade and Companies Register under number 841 448 707.


COLLECTION & SOURCE OF PERSONAL DATA

We will most likely collect your Personal Data directly (e.g. via the data collection forms on our Portal), or indirectly (e.g. via our service providers and/or technology on our Portal).

We undertake to obtain your consent and/or to allow you to object to the use of your data for certain purposes, if necessary. In addition, you may opt in to receive personalised messages and offers from us. Should you wish to withdraw your consent, you can simply click on the "unsubscribe" link in the last message or personalised offer received from us. In any event, you will be informed of the purposes for which your data is collected via the various online data collection forms and the Cookie Management Policy.

In addition, any credit card payments that may be offered on the Portal will be handled by our payment provider specialising in secure online transactions. Transmission of your personal data such as the number, expiry date, and security code of your credit card will be done by secure connection and directly on the provider's dedicated platform. Online payments will be secured by an added layer of security offered by the 3DS authentication process.


TYPES OF PERSONAL DATA WE COLLECT AND USE

Among others, we may collect and process the following types of Personal Data:

  • the information you provide when filling in the forms on the Portal, in particular for registration purposes, participation in surveys and events, and for marketing purposes (e.g.: title, first name and surname, etc.) 
  • information you provide for authentication and web browsing purposes (e.g. IP address, cookies, etc.)
  • information you provide to book and pay for a service (e.g. telephone number, email and postal address, credit card number, etc.)
  • information you provide in a job application and, if applicable, during the recruitment process (e.g. CV, information about your education, professional experience, distinctions, diplomas, qualifications, certificates, languages spoken, salary expectations, etc.)
  • information you provide if you apply and, if relevant, take part in our "Artisan Guild" competition (e.g.: first name and surname, address, telephone number, etc.)
  • information you supply to manage a request or service
  • information you provide through publications, comments, or other content you post on the Portal.

Personal data identified by an asterisk in data collection forms is mandatory because it is required to process the request. If you do not fill in this mandatory information, we will not be able to handle your request. 


PERSONAL DATA WE MAY COLLECT AUTOMATICALLY 

We may collect certain information automatically when you visit the Portal in order to facilitate its use and to better customise it and our products and services according to your interests and needs. We undertake to obtain your consent whenever necessary. For more information, please see our Cookie Management Policy.

With your consent, we may collect some information automatically when you visit the Portal in order to personalise and enhance your experience. We collect this information by various means, as explained below.

Cookies

A "cookie" is a small information file sent to your browser when you are on our Portal and stored on your device. This file contains information such as the domain name, internet service provider, operating system, and the date and time of user access. Note that cookies will not damage your device in any way. 

Cookies are not used to establish the identity of an individual visiting our website. Cookies allow us to determine your geographical location and display language in order to improve your browsing experience. They also allow us to process information about your visit to the website – such as the pages visited and searches performed – in order to improve our website content, track your interests, and provide you with suitable content.

If you do not wish to receive cookies from our Portal, you can adjust your browser settings accordingly using our cookie management tool or directly by changing your browser settings. 

Lastly, by clicking on the social network icons for Twitter, Facebook, Linkedin etc. displayed on our Portal, and if you have agreed that cookies may be deposited while you browse on the Portal, these social networks may also deposit cookies on your device(s) (computer, tablet, mobile phone). These types of cookies are only deposited on your devices if you consent to them by continuing to browse the website. However, at any time you may withdraw your consent allowing these social networks to deposit cookies.

For more information, please see our Cookie Management Policy.

IP addresses

An IP address is a unique address that identifies electronic devices on the internet and allows them to communicate with each other. When you visit our website, we may use the IP address of the device you used to connect to the website. We use this information to determine the general physical location of the device, and to identify what geographic area visitors are from. 

Statistics

The Portal may use Google Analytics to generate statistical reports. These reports tell us, for example, how many users have visited the Portal, which pages were visited, and where website users are located geographically. Information collected via the statistics may include your IP address, the website from which you arrived at our website, and the type of device you are using. Your IP address is hidden on our systems, and will only be used insofar as is necessary to resolve technical issues, administer the Portal, and understand visitor preferences. Portal traffic information is only available to authorised staff members. We do not use any of this information to identify visitors, and we do not share it with any third parties. 


SOCIAL NETWORKS

Our Portal may offer you the option of clicking on social network icons, e.g. Twitter, Facebook, LinkedIn, etc.

Lastly, by clicking on the social network icons for Twitter, Facebook, LinkedIn, etc. displayed on our Portal, and if you have agreed that cookies may be deposited while you browse on the Portal, these social networks may also deposit cookies on your device(s) (computer, tablet, mobile phone). Video-sharing services help enrich our Portal with video content and increase its visibility.

When you click on these icons, we may have access to personal information that you have made public, and which is accessible via your profiles on these social networks. However, we neither create nor use any database separate from these social networks based on the personal information you may have published there, and we will not process any of your personal data in this way.

If you do not want us to have access to the personal information published publicly on your social media profiles or accounts, you should use the means provided by these social networks to restrict access to said information.


PURPOSES FOR WHICH WE USE PERSONAL DATA

Among other purposes, we may use your Personal Data as follows:

No.

Purpose of processing

Legal basis of processing

Duration of data retention

1

To provide services and benefits ordered on the Portal

To enter into a contract and manage our contractual relationship with you

Up to 5 years from the last activity or the end of our contractual relationship

2

To respond to your queries, such as requests for information, quotes, contacts or research

To enter into a contract and manage our contractual relationship with you


Our legitimate interest in communicating and responding to your requests, and to improve the quality and operational excellence of the services we provide you with

Up to 12 months after the last contact

3

To send you exclusive offers and news about our products and services and/or those of our partners

Our legitimate interest in improving the quality and operational excellence of the services we provide you with


Your consent to receive messages and exclusive offers from our partners

Up to 3 years from the data collection date or the last contact with you

4

To manage job applications, recruitment processes, and any hiring procedures

Performance of our contractual relationship


Our legitimate interest in managing applications and recruitment processes for job profiles suited to our needs


Compliance with certain legal obligations, particularly those that are labour-related


Your consent to keep your job application on file

For the duration of the recruitment process, if necessary extended by 2 years after obtaining your consent


During the period of employment if data was collected for recruitment purposes


5

To manage and select applications and participations of eligible candidates in the "Artisans Guild" competition

Performance of our contractual relationship


Our legitimate interest in managing the applications and participations of eligible candidates in the "Artisans Guild" competition.

For unsuccessful candidates: during the candidate selection process.


For eligible candidates: during the "Artisans Guild" competition

6

To process your dietary preference requests, in order to be able to adapt our services accordingly

To enter into a contract, and to manage our contractual relationship with you

Your consent to the processing of your dietary preferences in order to be able to adapt our services accordingly.

During the period our services are performed

7

Conducting surveys

Our legitimate interest in improving the quality and operational excellence of the services we provide you with

Up to 12 months after the last contact with you

8

To personalise and improve your experience on our Portal

Our legitimate interest in improving the quality and operational excellence of the services we provide you with

Up to 12 months after the last contact with you

9

To keep data on your receipts and/or invoices for tax and accounting purposes

Compliance with certain legal obligations

Up to 10 years


HOW LONG WILL MY PERSONAL DATA BE KEPT? 

We will keep your Personal Data only for as long as is necessary to fulfil the purposes for which it is collected and processed (see table above). 

At the end of this period, strictly relevant data may be kept (i) as evidence (in the event of a dispute or inspection by authorised bodies), (ii) to comply with statutory or regulatory retention periods, and/or (iii) to comply with a contractual obligation towards our customers.


DISCLOSURE OF PERSONAL DATA

The security and confidentiality of your Personal Data is particularly important to us. This is why access to your Personal Data is restricted only to members of our staff who need to have this information in order to process your request or provide the requested service.

We will not disclose your Personal Data to any unauthorised third parties. However we may share your data with:

  • staff of Sodexo Group entities authorised to manage services
  • our clients, including your employer when performing a contractual obligation and/or public service obligation
  • the staff of subcontractors that Sodexo Group may call on to manage services (e.g. technical service providers for hosting and maintenance, consultants, etc.)
  • Sodexo Group partners and/or entities authorised to provide certain services offered on the Portal
  • staff of organisations authorised by Sodexo Group or by law to manage services (e.g. French Family Allowances Fund, schools, etc.)

We ensure that these recipients apply proper security and confidentiality measures so that your Personal Data is protected. 

We do not allow these recipients to use or disclose your Personal Data except to the extent necessary to perform services on our behalf or to comply with legal obligations. Furthermore, we may share your Personal Data (i) if the law or legal proceedings require us to do so, (ii) in response to a request from public authorities or other government administrations, or (iii) if we consider that disclosure of such data is necessary or appropriate to protect the safety of individuals or the public, and to protect our rights and property and those of our clients.


SENSITIVE PERSONAL DATA

Generally speaking, we do not collect sensitive Personal Data through our Portal. "Sensitive personal data" means any information revealing a natural person's racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health, sex life, or sexual orientation. This definition also includes Personal Data relating to criminal convictions and offences.

Should it be strictly necessary to collect such data in order to fulfil the purpose of processing, we will do so according to local statutory requirements for the protection of personal data and, in particular, with your prior explicit consent and under the terms and conditions set out in this Privacy Policy. 


PERSONAL DATA AND MINORS

The Portal is intended for adults who are capable of entering into obligations in accordance with the legislation of the country in which they are located.

In France, a minor (i.e. a user under 15 years of age) or any legally incapable user must obtain prior consent from their legal guardian before entering personal data on the Portal.


TRANSFERS OF PERSONAL DATA

Due to the international nature of Sodexo Group, your Personal Data may be transferred to recipients inside or outside the company who are authorised to perform services on our behalf and who may be located in countries outside the European Union or the European Economic Area where an adequate level of protection for Personal Data is not provided. 

In order to guarantee the security and confidentiality of Personal Data transferred in this way, we take all steps necessary to ensure that this data is adequately protected, such as signing the European Commission's Standard Contractual Clauses or any other mechanism ensuring an equivalent level of protection.


YOUR RIGHTS

Sodexo undertakes to facilitate the exercise of your rights pursuant to applicable regulations. Below is a table summarising the various rights you have:


RIGHT OF ACCESS AND RECTIFICATION

You may request access to the Personal Data we hold about you. You may also request that inaccurate Personal Data be corrected, or that incomplete Personal Data be completed.


You also have the right to know the source of this Personal Data.

RIGHT TO ERASURE

Your right to be forgotten entitles you to request the erasure of your Personal Data when:

  1. said personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
  2. you decide to withdraw your consent (in cases where your consent has been collected as the legal basis for processing). This withdrawal of consent does not affect the lawfulness of processing before its implementation
  3. you object to the processing of your Personal Data
  4. your Personal Data has been unlawfully processed
  5. your Personal Data has to be erased for compliance with a legal obligation; or
  6. erasure is required to ensure compliance with applicable legislation

RIGHT TO RESTRICTION OF PROCESSING

You may also request a restriction on the processing of your Personal Data if:

  1. you contest the accuracy of your Personal Data
  2. we no longer need your Personal Data for the purposes of processing; and
  3. you have objected to processing of your Personal Data on legitimate grounds

RIGHT TO DATA PORTABILITY

Where appropriate, you may ask us to provide you with your Personal Data in a structured, commonly used and machine-readable format, or you may ask us to transmit your Personal Data directly to another controller provided that:

  1. the processing is based on your consent or on an existing contractual relationship; and
  2. that it is carried out by automated means.

You also have the right to have your Personal Data transmitted directly to a third party of your choice (where technically feasible).


RIGHT TO OBJECT

You have the right to object ("opt out") to processing of your Personal Data (including profiling or marketing communications). If we process your Personal Data with your consent, you may withdraw your consent at any time.


At any time you may also request that we stop sending you advertisements or marketing material simply by contacting us directly and free of charge, or by using the "unsubscribe" link included in any marketing material we may email you, or by emailing the address below. This objection is without prejudice to the legality of messages sent prior to its application.


Pursuant to Article L. 223-2 of the French Consumer Code, the user is informed of their right to register free of charge on the list of opposition to telephone canvassing(www.bloctel.gouv.fr).

RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING


You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similar significantly affects you.

RIGHT TO ISSUE ADVANCE DIRECTIVES
ON THE PROCESSING OF YOUR PERSONAL DATA AFTER YOUR DEATH

In accordance with French law on the protection of personal data, you may also issue directives on how to exercise the rights set out in this section after your death, (in particular rights relating to retention, deletion and/or communication), and you may appoint a person responsible for the exercise of these rights.

RIGHT TO FILE A COMPLAINT

You may choose to file a complaint with the French Data Protection Authority ("Commission Nationale de l'Informatique et des Libertés") via the following link: www.cnil.fr.

You also have the right to take legal action before the courts of the country in which the Sodexo entity has a place of business, or in the country where you usually reside.


To exercise these rights, you can fill in this online form. We may ask you for additional information in order to identify you and be able to process your request. 


SECURITY 

We take all technical and organisational measures to ensure the security and confidentiality of the Personal Data processed.

In this regard, and in view of the nature of the Personal Data and the risks presented by processing, we take all necessary precautions in order to preserve data security and, in particular, to prevent it from being distorted, damaged or accessed by unauthorised third parties (through physical protection of premises, authentication procedures with personal and secure access by means of confidential logins and passwords, logging of connections, encrypting certain data, etc.).


CUSTOMER RELATIONSHIP MANAGEMENT ("CRM") DATABASES

We use a database to manage, monitor, and develop our business relationships with our existing and/or potential customers. This database includes the Personal Data of clients' employees or of other partners with whom we have a business relationship or with whom we would like to establish such a relationship. This data, used solely for these purposes, includes contact details (first name and surname, professional telephone number and email address, etc.), publicly available information, answers to targeted emails, and other information collected and recorded by our employees in the course of interactions with our customers and/or partners.

This database may be shared with subsidiaries and/or other business partners of Sodexo Group with whom we already have or would like to develop a business relationship. It will only be used by subsidiaries or partners to send messages to our existing and/or potential customers or to offer the latter services related to their business. Any individual whose contact details are subject to such a transfer may ask said recipients to remove them from their CRM database. If you wish to be removed from our CRM databases, please fill in our Request Form.


LINKS TO OTHER WEBSITES 

For your information and convenience we occasionally provide links to other websites. These websites are mostly Sodexo Group websites, but some of them operate independently and are not under our control. These third-party websites may have their own privacy policies or terms and conditions of use, which we strongly suggest you consult. We are in no way responsible for the content of these websites, for the products and services that may be offered thereon, or for any other use.


UPDATES TO OUR PRIVACY POLICY

From time to time, if our Services or legal obligations change significantly we may update or amend this policy. Should we make any substantial changes, we will post a notice on our Portal when the changes take effect. Please visit this page regularly for updates on any such changes to the policy.

If you have any questions or comments about this policy, please contact us at dpo.oss.fr@sodexo.com.


Last updated: MAY 2022