Global Data Protection Policy
The following information is provided to you to inform you of Sodexo commitments in terms of Personal data protection.
Sodexo builds strong, lasting relationships with its customers, partners, and consumers based on mutual trust, making sure that their Personal data is safe and remains confidential is an absolute priority for Sodexo .
Sodexo is committed to complying with all applicable regulatory and legal provisions governing the protection of Personal data.
Sodexo enforces a very strict privacy policy to guarantee the protection of the Personal data of those who use its websites, portals, applications, and platforms
Sodexo enforces a very strict privacy policy to guarantee the protection of the Personal data of those who use its websites, portals, applications, and platforms (our “Sites”):
▬ Users remain in control of their own data. The data is processed in a transparent, confidential and secure manner.
▬ Sodexo is committed to a continuing quest to protect its users’ Personal data in accordance with the Personal Data (Privacy) Ordinance (PDPO).
▬ Sodexo has a data protection officer that you can contact in case of question.
Please read the Policy carefully to familiarize yourself with the categories of Personal data that are subject to collection and Processing, how we use this Personal data, and with whom we are likely to share it. This policy also describes your rights and how you can get in touch with us to exercise these rights or to ask us any questions you might have concerning the protection of your Personal data.
This policy may be amended, supplemented, or updated, in particular to comply with any legal, regulatory, case law, or technical developments that may arise. However, your Personal data will always be processed in accordance with the policy in force at the time of the data collection, unless a compulsory legal prescription determines otherwise and must be enforced retroactively.
Identity and contact details of the Data User
The Data User is:
Sodexo SA
A Société Anonyme with a capital of
Registered office: 255, quai de la Bataille de Stalingrad - 92130, Issy-les-Moulineaux - France
Trade register: 301 940 219 RCS Nanterre
VAT number: FR40301940219
Tel.: 01 30 85 75 00
Legal Representative: Sophie Bellon
“Data User” Means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
“Personal data” Means any data- (a) relating directly or indirectly to a living individual; (b) from which it is practicable the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable.
“Processing” Means in relation to Personal Data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise.
“Processor” A person who-(a) processes personal data on behalf of another person; and (b) does not process the data for any of the person’s own purposes.
“us” “we” or “our” The Sodexo entity acting as Data User
“you” or “Users” Any Site user/visitor or beneficiary of the Services.
We may collect your Personal data in the ways listed below:
▬ Collection of your Personal data directly from you, such as when you complete forms on our Sites ; and
▬ Collection of your Personal data indirectly during your navigation on the Site or via our service providers and/or technologies on our Sites.
We will collect your Personal data on a mandatory basis where this is required by applicable local laws or where this is necessary for the performance of the Services on the Site.
If we are unable to collect these mandatory Personal data items, we will not be able to manage your access to the Site.
We may process, use, and disclose your Personal data for certain purposes, as detailed below, connected to your use of the Site and to the services we provide.
We will collect and process your Personal data as detailed below (without this list being exhaustive) where necessary to provide you an access to the Site, or when it is necessary for compliance with a legal obligation to which we are subject. We will also collect and process your Personal data for Sodexo ’s legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms. Where legitimate interests do not apply as a lawful basis for the Processing of Personal data under the applicable data protection laws, prior explicit consent will be alternatively collected if required by law.
Data Processing activities Purposes Categories of Personal data Legal basis
Cookies Personalization of the Site and Enhancement of the experience. - IP address
- Cookies
- Statistical data Consent
Legitimate Interest
Identity Authentication purposes - Identification Data(civil status, identity, images – if you provided it) Legitimate Interest Consent
Any other purpose that we may specify to you at the time of collection and described in a specific privacy policy - Determined at the time of collection and described in a specific privacy policy Determined at the time of collection and described in a specific privacy policy
Sodexo is part of an international group under the brand Sodexo.
There is a possibility of transfers of your Personal data within ou outside of the Sodexo group.
▬ Within Sodexo
The security and confidentiality of your Personal data is of great importance to us. This is why we restrict access to your Personal data only to members of our and staff only to the extent strictly necesssary to process your Personal data or to provide the services necessary for the Site. We ensure that the persons authorized to process the Personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.Some of the third countries in which Sodexo entities operate are located outside of the Hong Kong and do not provide the same level of data protection as Hong Kong For those transfers, Sodexo has implemented the appropriate safeguards in accordance with the relevant Data Protection laws and rules.
Sodexo has implemented the Sodexo’s Binding Corporate Rules (BCRs) within Sodexo Group. Therefore, even if the third countries in which Sodexo entities operate are located outside of the European Economic Area, your Personal data is protected in the same way that they would have been by any entity located within the European Economic Area.
▬ Outside of Sodexo
We will not disclose your Personal data to any unauthorized third parties. We may, however, share your Personal data with authorized service providers (for example, technical service providers [hosting, maintenance], consultants, etc.) whom we may call upon for the purpose listed above in compliance with the applicable data protection laws.
All third-party service providers to whom we have disclosed and transferred your Personal data have been engaged under a binding confidentiality and data processing agreement with Sodexo or the Sodexo group’s entities, whereby said third party may act only upon the instruction of Sodexo or Sodexo Group’s entities.
This third-party service provider and/or other contractors, as the case may be, may be located in countries where data protection laws may not provide a level of protection equivalent to Hong Kong. If Sodexo or Sodexo group’s entities disclose your Personal data to such recipients, which shall be only for disaster recovery purposes or for the purpose of providing assistance on our request, we will establish and/or confirm that, prior to receiving any of your Personal data, they will provide an adequate level of protection for your Personal data, including appropriate technical and organizational security measures. In particular, if the recipients concerned are located in a country that does not provide an adequate level of protection, Sodexo or Sodexo group’s entities will also implement other appropriate measures, including standard contractual clauses, to secure such transfer in compliance with applicable law. If you want to access a copy of the relevant documentation, please send an email to dpo.hk@sodexo.com or dpo.group@sodexo.com.
Furthermore, we may share your Personal data (i) if the law or a legal procedure requires us to do so, (ii) in response to a request by public authorities or other officials, or (iii) if we are of the opinion that transferring this data is necessary or appropriate to prevent any physical harm or financial loss, or in respect of an investigation concerning a suspected or proven unlawful activity.
We will store your Personal data only for as long as necessary to fulfill the purposes for which it was collected and processed, as listed above. This period may be extended, if applicable, for any amount of time prescribed by any legal or regulatory provisions that may apply.
Cookies will only be kept for a maximum of 13 months in order to fulfill their purposes.
The data related to your use of the Site, will be kept for as long as necessary for the Processing.
Finally, please note that we may anonymize your Personal data in such a way that you can no longer be identified and continue to use it for statistical purposes. Data used for statistical purposes is no longer classified as Personal data once it has been duly anonymized.
It is important that the Personal data we hold about you is accurate and current. Please keep us informed if your Personal data changes by updating your account on the Site.
Sodexo is committed to ensuring protection of your privacy rights under applicable laws. You will find below a table summarizing your privacy rights under the applicable data protection law, which applies to all Personal data processed on the Site.
Description of the right
Right Of Access And Rectification You have the right to make a “data access request” pursuant to the Data Protection Law. This right enables you to request a copy of the Personal Data we hold about you. You may also request rectification of inaccurate Personal Data after you have been provided with a copy of your Personal Data following a data access request.
Right To Opt-Out From Direct Marketing Activities We are required to notify you and obtain your consent before using your Personal Data in any direct marketing activities or transferring your data to a third party for direct marketing activities.
We will not provide your personal data to third parties for direct marketing or other unrelated purposes without your consent.
Right to lodge a Complaint If You have a privacy-related complaint against Us, You may complete and submit the Request/Complaint Form (available in Our Data Protection Policy). If You are unsatisfied with our response, You can choose to lodge a Complaint with the Commissioner, in compliance with the Data Protection Law. A complaint must be in writing in Chinese or English and must specify the act or practice complained of and the data user involved.
Please visit the website of the Office of the Privacy Commissioner for Personal Data, Hong Kong at the following address: https://www.pcpd.org.hk/tc_chi/complaints/introduction/introduction.html for the various complaint channels available. You can also notably contact Sodexo SA’s lead Supervisory Authority, the French Supervisory Authority (the “CNIL”, www.cnil.fr ).
In addition, You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence.
To exercise these rights, You can send your Request or Complaint by sending an email to your Local Data Protection Special Point of Contact at the following email address dpo.hk@sodexo.com or with the Group Data Protection Officer at the following email address dpo.group@sodexo.com.
• No fee usually required
You will not have to pay a fee to access your Personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
• What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal data is not disclosed to any person who has no right to receive it.
Third party beneficiary rights
If applicable in your country, you can enforce the third-party beneficiary rights afforded to you by the Sodexo BCRs.
We implement all possible technical and organizational security measures to ensure security and confidentiality in Processing your Personal data.
To this end, we take all necessary precautions, given the nature of the Personal data and the risks related to its Processing, in order to maintain data security and, in particular, to prevent distortion, damage, or unauthorized third-party access (physical protection of the premises, authentication procedures with personal, secured access via identifiers and confidential passwords, a connection log, encryption of certain data, etc.).
In addition, if we contract with Processors for all or part of the Processing of your Personal data, we require a contractual agreement from our service providers to guarantee the security and confidentiality of the Personal data that we transmit to them or that they collect on our behalf, in accordance with the applicable regulations on the protection of Personal data.
We regularly conduct audits to verify the proper operational application of the rules relating to the security of your Personal data.
Nevertheless, you also have a responsibility to ensure the security and confidentiality of your Personal data so we invite you to remain vigilant, especially when using an open system such as the Internet.
Occasionally, we provide links to other platforms for practical and informative purposes. These platforms operate independently from our Sites and are not under our control. These platforms have their own privacy policies or terms of use, which we strongly advise you to read. We do not accept any liability with regards to the content on these platforms, for the products and services that may be offered there, or for any other use thereof.
We may update or amend this policy as and when needed. In this case, amendments will only become applicable after a period of 30 business days from the date of the amendment. Please consult this page from time to time if you want to be informed of any possible changes.
If you have any questions or comments with regard to this policy, please do not hesitate to contact us at the following address: dpo.hk@sodexo.com.