The following information is provided to you to inform you of Sodexo Operations, LLC commitments when processing Personal data when using Sodexo WRX. Sodexo Operations, LLC belongs to Sodexo Group (hereafter “Sodexo”).
Sodexo builds strong, lasting relationships with its clients, partners, and consumers based on mutual trust, making sure that their Personal data is safe and remains confidential, which is an absolute priority for Sodexo. Sodexo is committed to complying with all applicable regulatory and legal provisions governing the protection of Personal data.
Sodexo enforces a very strict privacy policy to guarantee the protection of the Personal data of those who use Sodexo WRX:
Please read this policy carefully to familiarize yourself with the categories of Personal data that are subject to collection and processing, how we use this Personal data, and with whom we are likely to share it. This policy also describes your rights and how you can get in touch with us to exercise these rights or to ask us any questions you might have regarding the protection of your Personal data.
This policy may be amended, supplemented, or updated, in particular to comply with any legal, regulatory, case law, or technical developments that may arise. However, your Personal data will always be processed in accordance with the policy in force at the time of the data collection, unless a compulsory legal requirement otherwise applies and is enforced retroactively.
For California Residents, please visit this link for a summary of your data rights.
The Data Controller is: Sodexo Operations, LLC, a Delaware limited liability company, on its own behalf and on behalf of its U.S. affiliated companies, 915 Meeting Street, Suite 1500, North Bethesda, MD 20852, USA
Entity’s Registration Number: [Entity’s Registration Number]
Email address of your DPO: privacy.noram@sodexo.com
“Controller”: The Sodexo entity which, alone or jointly with other Sodexo entities or third parties, determines the purposes and means of the processing of Personal Data.
“Personal data”: Any information relating to an identified natural person or one that can be directly or indirectly identified by reference to an identification number or to one or more elements specific to that person.
“Processing”: Any operation or set of operations that is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor”: Natural or legal person, public authority, agency or other body which processes Personal data on behalf of the Controller.
“us” “we” or “our”: Sodexo Operations, LLC acting as Controller.
“you” or “Users”: Any user of Sodexo WRX.
“Workplace Applications”: Means the applications or websites accessible through Sodexo WRX. Workplace Applications may be provided by Client, third parties or us.
We collect your Personal data in the following ways below:
We process, use, and disclose your Personal data for certain purposes as detailed below. We will collect and process your Personal data where necessary to provide you access to Sodexo WRX, or when it is necessary to comply with a legal obligation to which we are subject. We will also collect and process your Personal data for Sodexo Operations, LLC’s legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms.
Where legitimate interests do not apply as a lawful basis for the Processing of Personal data under the applicable data protection laws, prior explicit consent will be alternatively collected if required by law.
| Data Processing activities | Purposes | Categories of Personal data | Legal basis |
|---|---|---|---|
| Account Management and Account Identification/Authentication | To provide access to Sodexo WRX | Identification Data (First Name, Last Name) Contact Details (Email address, Phone number) Account Information (User ID and Password, Site Registration Code, Site location, Company (client) registration code) |
Performance of contract |
| Use of Sodexo WRX | To enable the access and use of Sodexo WRX | Identification Data (First Name, Last Name) Contact Details (Email address, Phone number) Account Information (User ID and Password, Site Registration Code, Company (client) registration code) |
Performance of contract |
| Performance analytics | To measure and analyse the use of Sodexo WRX for statistical purposes | Aggregated data on the use of Sodexo WRX | Legitimate interest of Sodexo AB |
| Security | To enable us to detect and analyse Sodexo WRX and ensure its security | Device information IP address App version Browser information |
Legitimate interest of Sodexo AB |
Sodexo WRX allows to access Workplace Applications or services provided by Sodexo (e.g., order food, ask for service request or conciergerie, or accessing benchmark and reporting). Those Workplace Applications available through Sodexo WRX can process additional Personal Data for other purposes, sometimes on behalf of our clients (e.g., your employer or university or owner of the location we provide our services). Description of the processing of Personal Data for those services is in the privacy policy available directly in those Workplace Applications.
Sodexo is part of an international group operating under the brand Sodexo. For the performance of K1nect, your Personal data will be transferred within or outside of the group.
The security and confidentiality of your Personal data is of great importance to us. This is why we restrict access to your Personal data only to members of our staff only, to the extent it is strictly necessary to process your Personal data or to provide the services necessary for Sodexo WRX. We ensure that the persons authorized to process the Personal data have committed themselves to abide by confidentiality agreements or are under an appropriate statutory obligation of confidentiality.
We have also implemented appropriate safeguards to ensure an adequate level of protection of your Personal data, even if the Personal data is processed by another Sodexo entity that did not collect your Personal data originally. Sodexo AB has implemented the Sodexo’s Binding Corporate Rules (BCRs) available at the following link: Sodexo BCR - Controller Policy. Therefore, even if the third countries in which Sodexo entities operate are located outside of the European Economic Area, your Personal data is protected in the same way that they would have been by any entity located within the European Economic Area.
In order to provide you with Sodexo WRX, some of your Personal data will be transferred by us to third parties operating the services and/or to your employer who subscribes to the service for you. We will not disclose your Personal data to any unauthorized third party.
We will, however, share your Personal data with authorized service providers (for example, technical service providers (hosting, maintenance), consultants, etc.) whom we call upon for the purposes listed above in compliance with the applicable data protection laws. All third-party service providers to whom we have disclosed and transferred your Personal data have been engaged under a binding confidentiality and data processing agreement with Sodexo, whereby said third party may act only upon the instruction of Sodexo.
This third-party service provider and/or other contractors can be located in countries where data protection laws do not provide a level of protection equivalent to your country. If Sodexo disclose your Personal data to such recipients, we will establish and/or confirm that, prior to receiving any of your Personal data, they will provide an adequate level of protection for your Personal data, including appropriate technical and organizational security measures. In particular, if the recipients concerned are located in a country that does not provide an adequate level of protection, Sodexo will also implement other appropriate measures to secure such transfer in compliance with applicable law.
Furthermore, we will share your Personal data (i) if the law or a legal procedure requires us to do so, (ii) in response to a request by public authorities or other officials, or (iii) or in respect of an investigation concerning a suspected or proven unlawful activity.
We will store your Personal data only for as long as necessary to fulfil the purposes for which it was collected and processed, as described below. This period can be extended, if applicable, for any amount of time prescribed by any legal or regulatory provisions that can apply.
Finally, please note that we can anonymize your Personal data in such a way that you can no longer be identified and continue to use it for statistical purposes. Data used for statistical purposes is no longer classified as Personal data once it has been duly anonymized.
| Purposes | Categories of Personal data | Data Retention Duration |
|---|---|---|
| To enable the access and use of Sodexo WRX | Identification Data (First Name, Last Name) Contact Details (Email address, Phone number) Account Information (User ID and Password, Site Registration Code, Company (client) registration code) |
As long as you have access to Sodexo WRX |
| To measure and analyse the use of Sodexo WRX for statistical purposes | Aggregated data on app usage (e.g., page visits, clicks, visit duration) for statistics | 2 years after the collection of the data |
| To enable us to detect and analyse Sodexo WRX and ensure its security | Device information, IP address, App version, Browser information | 6 months after the collection of the data |
As a general rule, we do not collect sensitive Personal data on Sodexo WRX. Any information revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, or sex life or sexual orientation is considered ‘sensitive personal data’. This definition also includes Personal Data relating to criminal convictions and offences.
In the event that the collection of such Data is strictly necessary to fulfil the purpose of the processing, we will do so in accordance with the requirements of local legislation on the protection of Personal Data and, in particular, with your prior explicit consent and under the conditions described in this policy.
Sodexo WRX is provided for adults who have the capacity to enter into a contract under the applicable law. Nonetheless, some of our services may be provided to soon-to-be adults (campus), and so we might process Personal data minors, but it is always done with the consent of their legal guardian.
It is important that the Personal data we hold about you is accurate and up to date. Sodexo is committed to ensuring protection of your privacy rights under applicable laws. You will find below a table summarizing your privacy rights under the applicable data protection law, which applies to all Personal data processed on Sodexo WRX.
| Data Protection Right | Description of the Right |
|---|---|
| Right to be informed | You may request a copy of the Personal data we hold about you. |
| Right of access | Aggregated data on app usage (e.g., page visits, clicks, visit duration) for statistics | 2 years after the collection of the data |
| Right of rectification | You may request the rectification of inaccurate Personal data, or to have incomplete Personal data completed. |
| Right to erasure | Your right to be forgotten entitles you to request the erasure of your Personal data in compliance with the applicable law. |
| Right to object to Processing | You may object (i.e., exercise your right to “opt-out”) to the Processing of your Personal data particularly in relation to profiling or to marketing communications. When we process your Personal data on the basis of your consent, you can withdraw your consent at any time. |
| Right to restriction of Processing | You may request that the Processing of your Personal data be restricted. |
| Right to portability | You may request to receive your Personal data in a structured, commonly used and machine-readable format, under the conditions set out in Article 20 of the GDPR. |
| Right to lodge a complaint | You may lodge a complaint with a supervisory authority, in particular of your Country of residence if you consider that the processing of your personal data infringes data protection laws. |
| Local additional rights | You may have additional privacy rights under the data protection laws in your country. For more information on these rights and how to exercise them, please consult your local law. |
To exercise these rights, you can raise queries or complaints with the authorised representative, by email at privacy.noram@sodexo.com or send your request regarding data protection via the online request webform or by post, addressed to Sodexo Operations, LLC 915 Meeting Street Suite 1500, North Bethesda, MD 20852.
No fee usually required: You will not have to pay a fee to access your Personal data (or to exercise any of the other rights).
What we may need from you: Where necessary, we can request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal data is not disclosed to any person who has no right to receive it.
When using Sodexo WRX, if you agree to it, access permissions may be implemented by your device to allow you to choose the functionalities accessible on mobile applications for security and privacy purposes. Below is the list of permissions used in Sodexo WRX:
We implement all possible technical and organizational security measures to ensure security and confidentiality in Processing your Personal data. To this end, we take all necessary precautions, given the nature of the Personal data and the risks related to its Processing, in order to maintain data security and, in particular, to prevent distortion, damage, or unauthorized third-party access (physical protection of the premises, authentication procedures with personal, secured access via identifiers and confidential passwords, a connection log, encryption of certain data, etc.).
In addition, if we contract with Data Processors for all or part of the Processing of your Personal data, we require a contractual agreement from our service providers to guarantee the security and confidentiality of the Personal data that we transmit to them or that they collect on our behalf, in accordance with the applicable regulations on the protection of Personal data.
We regularly conduct audits to verify the proper operational application of the rules relating to the security of your Personal data. Nevertheless, you also have a responsibility to ensure the security and confidentiality of your Personal data so we invite you to remain vigilant, especially when using an open system such as the Internet.
We may update or amend this policy as and when needed. In this case, amendments will only become applicable after a period of 30 business days from the date of the amendment. Please consult this page from time to time if you want to be informed of any possible changes.
If you have any questions or comments with regard to this policy, please do not hesitate to contact us via email at the following email address: privacy.noram@sodexo.com.