Data Protection Rights Management Policy

Last update:  20th June 2022

  1. Preamble

Sodexo is committed to handling Personal Data in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and any other applicable law and aims to deal promptly and efficiently with any queries relating to Sodexo’s processing of Personal Data.

In some cases, Sodexo entities may act as a Processor on behalf of a Client. In this instance the Client is responsible for handling Data subject Requests relating to compliance with applicable legislation and the Data subject’s Personal Data.

  1. Definitions

  • Client means organizations or corporations that ask Sodexo to perform services on their behalf for their employees / On-site personnel that are the end-users of these services.
  • Complaint means the complaint lodged by a Data subject with the Local Data Protection Single Point of Contact or a court of justice if the Data subject considers his or her rights under the applicable Data Protection Laws are infringed.
  • Controller means the entity that determines the purposes and means of the Personal Data processing.
  • Data subject means an identified or identifiable individual whose Personal Data is concerned by processing within Sodexo, including the Personal Data of Sodexo’s current, past and prospective applicants, employees, clients, consumers/beneficiaries, suppliers/vendors, contractors/subcontractors, shareholders or any third parties.
  • Group Data Protection Officer means the person appointed and endorsed by the Sodexo Group Executive Committee to oversee data protection issues at the Sodexo Group level, to define and administer the Sodexo data protection compliance program and good practices relating to data protection and to ensure their implementation.
  • Local Data Protection Single Point of Contact means the individual appointed by a Sodexo entity, in charge of handling local data protection issues. In some cases, the Local Data Protection Single Point of Contact can be appointed as Local Data Protection Officer where required by applicable data protection law.
  • Personal Data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Processing or Personal Data Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Request means one of the mechanisms provided to individuals to allow them to exercise their rights (such as the right of access, to rectification, to erasure etc.). An individual may make a Request against any entity which processes its Personal Data.
  • Sodexo entity or Sodexo entities means Sodexo SVC India Pvt. Ltd.

  1. Scope

This policy applies to Sodexo BRS entities in India (hereinafter designated as “Sodexo”) for all dimensions and activities, in all geographies where we operate, This policy applies to the Processing of Personal Data collected by Sodexo, directly or indirectly, from all individuals including, but not limited to Sodexo’s current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties, with “Personal Data” as defined above.

In this policy, “you” and “your” means any covered individual. “We”, “us”, “our” and “Sodexo” means the organization of Sodexo BRS entities in India.

  1. Your rights

Where Sodexo processes your Personal Data for its own purposes, please consult the Section “Your Rights” of our  Indian Data Protection Policy.

Where Sodexo processes Personal Data on behalf of a Client, Sodexo will notify the Client of any Data subject’s Request received. Sodexo will cooperate and provide the Client with assistance in relation to the Request, to the extent legally permitted.

  1. What our teams will do if they receive a Request?

Our approach is to engage positively and resolve your Request in a satisfactory manner without you having to file a complaint to the local Court or the relevant Local Data Protection Single Point of Contact.

If you have any queries with the Processing of your Personal Data, you should not hesitate to raise your query to Sodexo. To help us to deal with your Request, please provide a full written explanation of your query by completing the Request form as provided hereinbelow.

Sodexo shall inform its Client acting as Controller of any Request made by a Data subject as soon as possible. The Client will be in charge of handling such Request and Sodexo will assist the Client in responding to Data subject Requests. Sodexo will directly handle Requests only when it is agreed with the Client or if the Client disappeared or cease to exist in law or became insolvent. In all other cases, Sodexo will assist the Client in responding to Data subject Requests.

  1.  Handling Requests

At the time of drafting your Request and to allow Sodexo to deal promptly with your Request in the most efficient manner, you are invited to follow these steps:

STEP 1: Complete and submit the Request form by email to the generic email address as indicated in the information notices and/or the privacy policies provided to you at the time of the collection of your Personal Data.

STEP 2: Your Request will be treated confidentially and fully investigated where necessary. During this process, you may receive additional communication from Sodexo’s Local Data Protection Single Point of Contact and/or Sodexo’s Global Data Protection Office to investigate your concern. If you have not provided sufficient information in your Request, we will let you know what further information is needed to process your Request.

STEP 3: Once the information related to your Request is complete, we will contact you within thirty (30) days to provide you with an answer. This deadline may be extended in certain circumstances, depending on the nature of the Request.

STEP 4: Please note that you can choose to lodge a complaint with appropriate authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages.

You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence.

REQUEST FORM

[To be sent by email to the generic email address as indicated in the information notices and/or the privacy policies provided to you at the time of the collection of your Personal Data and/or to the Local Data Protection Point of Contact at the following address dpo.brs.in@sodexo.com]

 

Contact Information:

(Name (Last, First))…………………………………………………………………………………………………………..

(Telephone number)………………………………………………………………………………………………………….

(Email address)……………………………………………………………………………………………………………….

(Postal address)………………………………………………………………………………………………………………

Please indicate your preferred method of contact by ticking the box to the right.

If your preferred method of contact is the postal address, please indicate where you would like our response to be sent:

 Home Address or  Business Address

If business address, please provide company name: ……………………………………………………………….

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

 

In order to help us identify systems that may contain information about you, please check the boxes below that describe your relationship with Sodexo:

 Job applicant

 Former employee or contractor

 Current employee of Sodexo

 Employee family member, dependent, beneficiary or emergency contact

 Employee of Sodexo Client or business partner

 Employee of a Sodexo supplier or vendor

 Individual – Consumer

 Other – please describe

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

If your information may be under another name, please provide that name and reason for the change:

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

We may request from you a certified copy of a valid official identification documentation to allow us to verify your name and address (e.g. valid passport or identity card).

If you request to access your Personal Data or request data portability, please specify the Personal Data which is subject to the request and confirm that they may be sent by email to the address above or, if technically feasible, to the address of a new Controller as set out below, for the data portability request:

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

If you request rectification of your Personal Data, please specify below the data to be rectified, and provide the justification for such request:

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

If you request that the Processing of your Personal Data is restricted please specify the processing in issue, and provide the justification for such request:

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

If you request the erasure of your Personal Data, please specify below the Personal Data to be deleted and provide the justification for such request:

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

If you object to the processing of your Personal Data, please specify below the Personal Data you object to us processing and provide the justification for such objection:

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

If you believe that your data protection rights may have been breached, you have the right to lodge a complaint with the appropriate authority , or to seek a remedy through the courts. You can also contact us if you have any queries or concerns. In such a case you can detail your query or concern here:

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

The information collected in this form is intended to enable the relevant Local Data Protection Point of Contact to respond to your Request. This information will be archived after the Request has been treated for (05) five years and then deleted. For any question related to this Request Form, please send your Request at the following email address dpo.brs.in@sodexo,com.