Sodexo Group builds strong and lasting relationships based on mutual trust with its clients, partners, customers, and employees: it is an absolute priority for Sodexo Group to ensure the latter's personal data remains safe and confidential.
Sodexo Group complies with all French and European regulations and legislation governing the protection of personal data.
Sodexo Group enforces an extremely strict privacy policy to ensure the personal data of those who use its websites and other applications is well protected:
• Each user remains in control of their own data, which is processed in a transparent, confidential and secure manner
• Sodexo Group is committed to an ongoing approach to protect users' personal data, in compliance with the French Data Protection Act of 6 January 1978 as amended (hereinafter "DPA"), and the EU General Data Protection Regulation of 27 April 2016 (hereinafter "GDPR").
• Sodexo Group has a team dedicated to personal data protection, consisting of a Group Data Protection Officer registered with the CNIL (French Data Protection Agency) as well as a network of contact persons dedicated to personal data protection.
DEFINITIONS:
" Personal data " means any information relating to an identified or identifiable natural person; an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifying factor, such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (hereinafter referred to as the "Data Subject")
"Us" or "our" refers to the entity within Sodexo Group that processes Personal Data
"Data controller" means the natural person or legal entity which determines the purposes and means of the processing of personal data
"Services" means the services offered on the Portal and/or at one of our establishments
"Data processor " means a natural person or legal entity which processes Personal Data on behalf of the Controller
"You" means any user/visitor of the Portal.
"Portal" means this website and/or, where applicable, mobile application, and any sub-sites, mirror sites, portals, URL variations thereof, if applicable.
PURPOSE OF THIS POLICY:
Sodexo takes protection of your Personal Data very seriously.
We have developed this policy to inform you of the conditions under which we collect, process, use and protect your Personal Data. Please read it carefully so that you know what categories of Personal Data we collect and process, how we use it, and with whom we might share it. This policy also describes your rights and how you can contact us to exercise these rights or to ask any questions you may have about your Personal Data.
This Policy may be amended, added to, or updated in order to comply with any legal, regulatory, case law or technical developments that may arise. However, your Personal Data will always be processed pursuant to the policy prevailing at the time of data collection, unless official legal regulations stipulate otherwise and are enforced retroactively.
This policy forms an integral part of the Portal's General Terms and Conditions of Use.
IDENTITY AND CONTACT DETAILS OF THE CONTROLLER
The entity responsible for processing Personal Data is UMANIS, a simplified joint stock company with a capital of €400,000, whose registered office is located at 30, Cours de l'Ile Seguin - 92777 Boulogne-Billancourt Cedex, registered in the Trade and Companies Register under number 841 448 707.
COLLECTION & SOURCE OF PERSONAL DATA
We will most likely collect your Personal Data directly (e.g. via the data collection forms on our Portal), or indirectly (e.g. via our service providers and/or technology on our Portal).
We undertake to obtain your consent and/or to allow you to object to the use of your data for certain purposes, if necessary. In addition, you may opt in to receive personalised messages and offers from us. Should you wish to withdraw your consent, you can simply click on the "unsubscribe" link in the last message or personalised offer received from us. In any event, you will be informed of the purposes for which your data is collected via the various online data collection forms and the Cookie Management Policy.
In addition, any credit card payments that may be offered on the Portal will be handled by our payment provider specialising in secure online transactions. Transmission of your personal data such as the number, expiry date, and security code of your credit card will be done by secure connection and directly on the provider's dedicated platform. Online payments will be secured by an added layer of security offered by the 3DS authentication process.
TYPES OF PERSONAL DATA WE COLLECT AND USE
Among others, we may collect and process the following types of Personal Data:
- the information you provide when filling in the forms on the Portal, in particular for registration purposes, participation in surveys and events, and for marketing purposes (e.g.: title, first name and surname, etc.)
- information you provide for authentication and web browsing purposes (e.g. IP address, cookies, etc.)
- information you provide to book and pay for a service (e.g. telephone number, email and postal address, credit card number, etc.)
- information you provide in a job application and, if applicable, during the recruitment process (e.g. CV, information about your education, professional experience, distinctions, diplomas, qualifications, certificates, languages spoken, salary expectations, etc.)
- information you provide if you apply and, if relevant, take part in our "Artisan Guild" competition (e.g.: first name and surname, address, telephone number, etc.)
- information you supply to manage a request or service
- information you provide through publications, comments, or other content you post on the Portal.
Personal data identified by an asterisk in data collection forms is mandatory because it is required to process the request. If you do not fill in this mandatory information, we will not be able to handle your request.
PERSONAL DATA WE MAY COLLECT AUTOMATICALLY
We may collect certain information automatically when you visit the Portal in order to facilitate its use and to better customise it and our products and services according to your interests and needs. We undertake to obtain your consent whenever necessary. For more information, please see our Cookie Management Policy.
With your consent, we may collect some information automatically when you visit the Portal in order to personalise and enhance your experience. We collect this information by various means, as explained below.
Cookies
A "cookie" is a small information file sent to your browser when you are on our Portal and stored on your device. This file contains information such as the domain name, internet service provider, operating system, and the date and time of user access. Note that cookies will not damage your device in any way.
Cookies are not used to establish the identity of an individual visiting our website. Cookies allow us to determine your geographical location and display language in order to improve your browsing experience. They also allow us to process information about your visit to the website – such as the pages visited and searches performed – in order to improve our website content, track your interests, and provide you with suitable content.
If you do not wish to receive cookies from our Portal, you can adjust your browser settings accordingly using our cookie management tool or directly by changing your browser settings.
Lastly, by clicking on the social network icons for Twitter, Facebook, Linkedin etc. displayed on our Portal, and if you have agreed that cookies may be deposited while you browse on the Portal, these social networks may also deposit cookies on your device(s) (computer, tablet, mobile phone). These types of cookies are only deposited on your devices if you consent to them by continuing to browse the website. However, at any time you may withdraw your consent allowing these social networks to deposit cookies.
For more information, please see our Cookie Management Policy.
IP addresses
An IP address is a unique address that identifies electronic devices on the internet and allows them to communicate with each other. When you visit our website, we may use the IP address of the device you used to connect to the website. We use this information to determine the general physical location of the device, and to identify what geographic area visitors are from.
Statistics
The Portal may use Google Analytics to generate statistical reports. These reports tell us, for example, how many users have visited the Portal, which pages were visited, and where website users are located geographically. Information collected via the statistics may include your IP address, the website from which you arrived at our website, and the type of device you are using. Your IP address is hidden on our systems, and will only be used insofar as is necessary to resolve technical issues, administer the Portal, and understand visitor preferences. Portal traffic information is only available to authorised staff members. We do not use any of this information to identify visitors, and we do not share it with any third parties.
SOCIAL NETWORKS
Our Portal may offer you the option of clicking on social network icons, e.g. Twitter, Facebook, LinkedIn, etc.
Lastly, by clicking on the social network icons for Twitter, Facebook, LinkedIn, etc. displayed on our Portal, and if you have agreed that cookies may be deposited while you browse on the Portal, these social networks may also deposit cookies on your device(s) (computer, tablet, mobile phone). Video-sharing services help enrich our Portal with video content and increase its visibility.
When you click on these icons, we may have access to personal information that you have made public, and which is accessible via your profiles on these social networks. However, we neither create nor use any database separate from these social networks based on the personal information you may have published there, and we will not process any of your personal data in this way.
If you do not want us to have access to the personal information published publicly on your social media profiles or accounts, you should use the means provided by these social networks to restrict access to said information.
PURPOSES FOR WHICH WE USE PERSONAL DATA
Among other purposes, we may use your Personal Data as follows:
No. | Purpose of processing | Legal basis of processing | Duration of data retention |
1 | To provide services and benefits ordered on the Portal | To enter into a contract and manage our contractual relationship with you | Up to 5 years from the last activity or the end of our contractual relationship |
2 | To respond to your queries, such as requests for information, quotes, contacts or research | To enter into a contract and manage our contractual relationship with you Our legitimate interest in communicating and responding to your requests, and to improve the quality and operational excellence of the services we provide you with | Up to 12 months after the last contact |
3 | To send you exclusive offers and news about our products and services and/or those of our partners | Our legitimate interest in improving the quality and operational excellence of the services we provide you with Your consent to receive messages and exclusive offers from our partners | Up to 3 years from the data collection date or the last contact with you |
4 | To manage job applications, recruitment processes, and any hiring procedures | Performance of our contractual relationship Our legitimate interest in managing applications and recruitment processes for job profiles suited to our needs Compliance with certain legal obligations, particularly those that are labour-related Your consent to keep your job application on file | For the duration of the recruitment process, if necessary extended by 2 years after obtaining your consent During the period of employment if data was collected for recruitment purposes |
To manage and select applications and participations of eligible candidates in the "Artisans Guild" competition | Performance of our contractual relationship Our legitimate interest in managing the applications and participations of eligible candidates in the "Artisans Guild" competition. | For unsuccessful candidates: during the candidate selection process. For eligible candidates: during the "Artisans Guild" competition | |
6 | To process your dietary preference requests, in order to be able to adapt our services accordingly | To enter into a contract, and to manage our contractual relationship with you Your consent to the processing of your dietary preferences in order to be able to adapt our services accordingly. | During the period our services are performed |
7 | Conducting surveys | Our legitimate interest in improving the quality and operational excellence of the services we provide you with | Up to 12 months after the last contact with you |
8 | To personalise and improve your experience on our Portal | Our legitimate interest in improving the quality and operational excellence of the services we provide you with | Up to 12 months after the last contact with you |
9 | To keep data on your receipts and/or invoices for tax and accounting purposes | Compliance with certain legal obligations | Up to 10 years |
HOW LONG WILL MY PERSONAL DATA BE KEPT?
We will keep your Personal Data only for as long as is necessary to fulfil the purposes for which it is collected and processed (see table above).
At the end of this period, strictly relevant data may be kept (i) as evidence (in the event of a dispute or inspection by authorised bodies), (ii) to comply with statutory or regulatory retention periods, and/or (iii) to comply with a contractual obligation towards our customers.
DISCLOSURE OF PERSONAL DATA
The security and confidentiality of your Personal Data is particularly important to us. This is why access to your Personal Data is restricted only to members of our staff who need to have this information in order to process your request or provide the requested service.
We will not disclose your Personal Data to any unauthorised third parties. However we may share your data with:
- staff of Sodexo Group entities authorised to manage services
- our clients, including your employer when performing a contractual obligation and/or public service obligation
- the staff of subcontractors that Sodexo Group may call on to manage services (e.g. technical service providers for hosting and maintenance, consultants, etc.)
- Sodexo Group partners and/or entities authorised to provide certain services offered on the Portal
- staff of organisations authorised by Sodexo Group or by law to manage services (e.g. French Family Allowances Fund, schools, etc.)
We ensure that these recipients apply proper security and confidentiality measures so that your Personal Data is protected.
We do not allow these recipients to use or disclose your Personal Data except to the extent necessary to perform services on our behalf or to comply with legal obligations. Furthermore, we may share your Personal Data (i) if the law or legal proceedings require us to do so, (ii) in response to a request from public authorities or other government administrations, or (iii) if we consider that disclosure of such data is necessary or appropriate to protect the safety of individuals or the public, and to protect our rights and property and those of our clients.
SENSITIVE PERSONAL DATA
Generally speaking, we do not collect sensitive Personal Data through our Portal. "Sensitive personal data" means any information revealing a natural person's racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health, sex life, or sexual orientation. This definition also includes Personal Data relating to criminal convictions and offences.
Should it be strictly necessary to collect such data in order to fulfil the purpose of processing, we will do so according to local statutory requirements for the protection of personal data and, in particular, with your prior explicit consent and under the terms and conditions set out in this Privacy Policy.
PERSONAL DATA AND MINORS
The Portal is intended for adults who are capable of entering into obligations in accordance with the legislation of the country in which they are located.
In France, a minor (i.e. a user under 15 years of age) or any legally incapable user must obtain prior consent from their legal guardian before entering personal data on the Portal.
TRANSFERS OF PERSONAL DATA
Due to the international nature of Sodexo Group, your Personal Data may be transferred to recipients inside or outside the company who are authorised to perform services on our behalf and who may be located in countries outside the European Union or the European Economic Area where an adequate level of protection for Personal Data is not provided.
In order to guarantee the security and confidentiality of Personal Data transferred in this way, we take all steps necessary to ensure that this data is adequately protected, such as signing the European Commission's Standard Contractual Clauses or any other mechanism ensuring an equivalent level of protection.
YOUR RIGHTS
Sodexo undertakes to facilitate the exercise of your rights pursuant to applicable regulations. Below is a table summarising the various rights you have:
RIGHT OF ACCESS AND RECTIFICATION | You may request access to the Personal Data we hold about you. You may also request that inaccurate Personal Data be corrected, or that incomplete Personal Data be completed. You also have the right to know the source of this Personal Data. |
RIGHT TO ERASURE | Your right to be forgotten entitles you to request the erasure of your Personal Data when:
|
RIGHT TO RESTRICTION OF PROCESSING | You may also request a restriction on the processing of your Personal Data if:
|
RIGHT TO DATA PORTABILITY | Where appropriate, you may ask us to provide you with your Personal Data in a structured, commonly used and machine-readable format, or you may ask us to transmit your Personal Data directly to another controller provided that:
You also have the right to have your Personal Data transmitted directly to a third party of your choice (where technically feasible). |
RIGHT TO OBJECT | You have the right to object ("opt out") to processing of your Personal Data (including profiling or marketing communications). If we process your Personal Data with your consent, you may withdraw your consent at any time. At any time you may also request that we stop sending you advertisements or marketing material simply by contacting us directly and free of charge, or by using the "unsubscribe" link included in any marketing material we may email you, or by emailing the address below. This objection is without prejudice to the legality of messages sent prior to its application. Pursuant to Article L. 223-2 of the French Consumer Code, the user is informed of their right to register free of charge on the list of opposition to telephone canvassing(www.bloctel.gouv.fr). |
RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING | You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similar significantly affects you. |
RIGHT TO ISSUE ADVANCE DIRECTIVES | In accordance with French law on the protection of personal data, you may also issue directives on how to exercise the rights set out in this section after your death, (in particular rights relating to retention, deletion and/or communication), and you may appoint a person responsible for the exercise of these rights. |
RIGHT TO FILE A COMPLAINT | You may choose to file a complaint with the French Data Protection Authority ("Commission Nationale de l'Informatique et des Libertés") via the following link: www.cnil.fr. You also have the right to take legal action before the courts of the country in which the Sodexo entity has a place of business, or in the country where you usually reside. |
To exercise these rights, you can fill in this online form. We may ask you for additional information in order to identify you and be able to process your request.
SECURITY
We take all technical and organisational measures to ensure the security and confidentiality of the Personal Data processed.
In this regard, and in view of the nature of the Personal Data and the risks presented by processing, we take all necessary precautions in order to preserve data security and, in particular, to prevent it from being distorted, damaged or accessed by unauthorised third parties (through physical protection of premises, authentication procedures with personal and secure access by means of confidential logins and passwords, logging of connections, encrypting certain data, etc.).
CUSTOMER RELATIONSHIP MANAGEMENT ("CRM") DATABASES
We use a database to manage, monitor, and develop our business relationships with our existing and/or potential customers. This database includes the Personal Data of clients' employees or of other partners with whom we have a business relationship or with whom we would like to establish such a relationship. This data, used solely for these purposes, includes contact details (first name and surname, professional telephone number and email address, etc.), publicly available information, answers to targeted emails, and other information collected and recorded by our employees in the course of interactions with our customers and/or partners.
This database may be shared with subsidiaries and/or other business partners of Sodexo Group with whom we already have or would like to develop a business relationship. It will only be used by subsidiaries or partners to send messages to our existing and/or potential customers or to offer the latter services related to their business. Any individual whose contact details are subject to such a transfer may ask said recipients to remove them from their CRM database. If you wish to be removed from our CRM databases, please fill in our Request Form.
LINKS TO OTHER WEBSITES
For your information and convenience we occasionally provide links to other websites. These websites are mostly Sodexo Group websites, but some of them operate independently and are not under our control. These third-party websites may have their own privacy policies or terms and conditions of use, which we strongly suggest you consult. We are in no way responsible for the content of these websites, for the products and services that may be offered thereon, or for any other use.
UPDATES TO OUR PRIVACY POLICY
From time to time, if our Services or legal obligations change significantly we may update or amend this policy. Should we make any substantial changes, we will post a notice on our Portal when the changes take effect. Please visit this page regularly for updates on any such changes to the policy.
If you have any questions or comments about this policy, please contact us at dpo.oss.fr@sodexo.com.
Last updated: MAY 2022