Global Client Relationship Management Data Protection Policy

  • This Sodexo S.A. Client Relationship Management (hereafter referred to as “CRM”) Data Protection Policy (the “Policy”) sets out our general approach to dealing with your personal data collected from you or otherwise received by Sodexo S.A. (“we”, “us”) for CRM purposes and especially for the management of the CRM database as well as for the use of marketing automation tools in the context of our global marketing campaigns (the “CRM Services”). If there is any conflict between this Policy and the data protection laws in your country, then such laws, where applicable, will prevail. 
  • This Policy may be amended, supplemented, or updated, in particular to comply with any legal, regulatory, case law or technical developments that may arise. 

What is included in our CRM services?

  • The CRM Services include the management of the CRM database which is used to manage our clients’ accounts and contracts, clients’ loyalty program, to manage our prospects and, in particular, for market analysis, sales pipelines and strategic intelligence as well as the use of marketing automation tools for marketing campaigns. 
  • Access to the CRM Services is limited to Sodexo authorized persons within the Sales team on a need-to-know basis (including users responsible for managing client relations and prospecting, as well as authorized persons including Marketing, Retention, Operations, IS&T, Strategic Planning, Finance, Communication or Legal departments). Security and access rights are strictly managed in accordance with pre-defined user requirements. The system will limit the user’s access in accordance with their functions.

Definitions

  • “Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal data.
  • “Personal data” means any information relating to an identified natural person or one that can be directly or indirectly identified by reference to an identification number or to one or more factors specific to this person. 
  • “Us” or “Our” means Sodexo

Who operates the CRM services?

  • Sodexo S.A., a company existing and organized under the laws of France, its registered office at 255, Quai de la Bataille de Stalingrad, 92130 Issy-les-Moulineaux, registered at the Registry of Commerce and Companies of Nanterre under the number RCS B 301 940 219 RCS Nanterre, operates the Sodexo CRM Services and acts as the data controller at a group level pursuant to its acceptation under French Data Protection Law.

Collection and source of personal data 

  • We will most likely collect your Personal data directly from you (from forms that you filled in on our websites) or indirectly (via Sales or Operations teams, as well as external sources)

What personal data does the Sodexo CRM services hold and for which purposes it may be used?

  • We collect and process some limited personal data including your name, professional contact details, photos, areas of interest, birthday and information in connection with the CRM Services but also your navigation data (number of clicks, email opening status, etc.) regarding the emails we send you. 

How and for which purposes will my personal data collected be used?

  • We use your personal data specifically for the following purposes:
  • Management of clients’ accounts and contracts;
  • Management of clients’ loyalty program;
  • Management of prospects;
  • Management and sending of marketing campaigns;
  • Realize statistical analysis to verify the effectiveness of our marketing campaigns; and
  • Improve the monitoring of our marketing campaigns.

On which legal basis will my personal data be collected and processed?

  • We collect and process your personal data where necessary for Sodexo S.A.’s legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms.

To whom will my personal data be disclosed?

  • Different access levels are applied to data in the context of our CRM Services to ensure that such data is visible only to appropriate users and groups who need such access for the purposes listed above or where required by law; those access levels also determine whether data will be searchable in the CRM Services.
  • Your personal data is hosted in France, Germany and in USA by our third-party service provider. Sodexo S.A. has indeed contracted with a third-party service provider to manage the CRM Services and provide technical and other support for the applications. Your personal data may be disclosed and transferred to such third-party service provider and other contractors as deemed necessary for the purposes described in this Policy. All third-party service providers involved in the provision or the management of the CRM Services has been engaged under a data protection agreement with Sodexo S.A., whereby said third-party may act only upon the instructions of Sodexo S.A.. These third-party service providers may only access the CRM Services for the purposes of hosting the database, providing technical support, and providing services that enhance the efficiency of the CRM Services. Relevant personnel have been trained and authorized to support the CRM Services.
  • This third-party service provider and/or other contractors, as the case may be, may be located in countries (such as the United States), where data protection laws may not provide a level of protection equivalent to French law. If Sodexo SA discloses your personal data to such recipients, we will ensure that, prior to receiving or accessing remotely to any of your personal data, they will provide an adequate level of protection for your personal data including appropriate technical and organizational security measures. In particular, if the recipients concerned are located in a country that does not provide an adequate level of protection (as this is the case in the United States), Sodexo S.A. will also implement adequate safeguards. In particular, Sodexo S.A. will rely on appropriate legal mechanisms, including standard contractual clauses, to secure such transfer, in compliance with French data protection law. If you want to access a copy of the relevant standard contractual clauses, please send an email to the Global Data Protection Office at the following email address dpo.group@sodexo.com.
  • We may also disclose your personal data to recipients among the Sodexo group entities for the purposes set forth herein. In this context, we only proceed to such disclosure provided that your personal data is solely disclosed to the relevant Sodexo group entities on a need-to-know basis with respect to the aforementioned purposes. 
  • Certain recipients of these disclosures among the Sodexo group entities may be located in foreign countries, some for which data protection laws may not provide a level of protection equivalent to French law. If Sodexo S.A. discloses your personal data to such recipients, we will establish and/or confirm that, prior to receiving any of your personal data, they will provide an adequate level of protection for your personal data including appropriate technical and organizational security measures. Sodexo S.A. will also implement appropriate safeguards, including standard contractual clauses, to secure such transfer, in compliance with French law. If you want to access a copy of the standard contractual clauses, please send an email to the Global Data Protection Office at the following email address dpo.group@sodexo.com.

How will my personal data be protected?

  • We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with our Group Information Security Policy. 
  • We take, when appropriate, all reasonable measures based on privacy by design and privacy by default principles to implement the necessary safeguards and protect the personal data processing. We also carry out, depending on the level of risk raised by the processing, a privacy impact assessment to adopt appropriate safeguards and ensure the protection of the personal data. We also provide additional security safeguards for data considered to be sensitive personal data.

How can I access my personal data?

  • Sodexo is committed to ensure protection of your rights under applicable laws. You will find below a table summarizing your different rights: 

Right of access You can request access to your personal data. You may also request rectification of inaccurate personal data, or to have incomplete personal data completed. 
You can request any available information as to the source of the personal data, and you may also request a copy of your personal data being processed by Sodexo.Right to be forgottenYour right to be forgotten entitles you to request the erasure of your personal data in cases where:
(i)  the data is no longer necessary in relation for the purposes of its collection or processing;
(ii)  you choose to withdraw your consent;
(iii)  you object to the processing by automated means using technical specifications; 
(iv)  your personal data has been unlawfully processed;
(v)  there is a legal obligation to erase your personal data;
(vi)  erasure is required to ensure compliance with applicable laws.

Right to restriction of processing You may request the restriction of processing in the cases where:
(i)  you contest the accuracy of the personal data;
(ii)  Sodexo no longer needs the personal data, for the purposes of the processing;
(iii)  you have objected to processing for legitimate reasons.

Right to data portability You can request, where applicable, the portability of your personal data that you have provided to Sodexo, in a structured, commonly used, and machine-readable format you have the right to transmit this data to another controller without hindrance from Sodexo where:
a)  the processing of your personal data is based on consent or on a contract; and
b)  the processing is carried out by automated means.
You can also request to transmit directly your Personal data to a third party of your choice (where technically feasible).

Right not to be subject to automated decisions You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Right to lodge a complaint to the competent supervisory authority If you have a privacy-related complaint against us, you may complete and submit the Request/Complaint Form (available in our Global Data Protection Policy) or make your complaint by email or by letter in accordance with our Global Complaints/Requests Handling Policy. You may also seek recourse by contacting the competent supervisory authority or the competent court. You can notably contact our lead supervisory authority, the French supervisory authority (the “CNIL”, www.cnil.fr).  

To exercise these rights, you can send your request or complaint by sending an email to the Group CRM team at the following email address : CRM_group@sodexo.com, your local data protection single point of contact or the Group Data Protection Officer at the following email address dpo.group@sodexo.com

How long will my personal data be held? 

Generally, the CRM Services will retain your personal data for 36 months after the last contact with you for the relevant purposes described in this Policy (in accordance with our Global Data Retention Policy). This may be different from country to country dependent upon local law and may be affected by specific regulatory or legal obligations for particular regulations.

How will I be notified if the uses of my data change?

  • If the uses of your personal data in the CRM Services significantly change, we will issue a new Policy and/or take other steps to notify you beforehand of such changes so that you may review them and check whether they are acceptable (to the extent necessary) to you. 
  • If you require further information about this Policy, please contact your local data protection single point of contact of the Group Data Protection Officer at dpo.group@sodexo.com
  • If you require further information about the CRM Services, please contact the Group CRM team at CRM_group@sodexo.com