Data Protection Policy

SODEXO MEA

The following information is provided to you to inform you of Sodexo Middle East’s commitments in terms of Personal Data Protection. Each entity listed under Sodexo Middle East shall be acting as respective data controller.

SODEXO builds strong, lasting relationships with its customers, partners and consumers based on mutual trust: making sure that their Personal data is safe and remains confidential is an absolute priority for SODEXO.

SODEXO is committed in complying with all applicable regulatory and legal provisions governing the protection of Personal data.

This policy applies to the Processing of Personal Data collected by entities under Sodexo Middle East. which comprises of KELVIN CATERING FACILITIES MANAGEMENT EMIRATES, SOCAT, TEYSEER, ALGERIA, SODEXO SOUTHERN AFRICA (hereafter “Company”). The Personal Data collected by the Company , directly or indirectly, from all individuals including, but not limited to THE COMPANY current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties, with “Personal Data” being defined as any data that relates to an identified or identifiable individual or a person who may be identified by means reasonably likely to be used.

In this Policy, “you” and “your” means any covered individual. “We”, “us”, “our” refers to THE COMPANY.

COLLECTION AND PROCESSING USE OF YOUR PERSONAL DATA

Compliance with the Applicable Local Data Protection Law

We are committed to complying with any applicable legislation relating to Personal Data and we shall ensure that Personal Data is collected and processed in accordance with provisions of the applicable Data Protection Regulation and applicable legislations.

Lawfulness, Fairness and Transparency

We do not collect or process Personal Data without having a lawful reason to do so. We may have to collect and process your Personal Data where necessary for the performance of a contract to which you are party, or when it is necessary for compliance with a legal obligation to which we are subject or where required, with your prior consent. We may also collect and process your Personal Data for the Company legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms.

When collecting and processing your Personal Data, we will provide you with a fair and full information notice or privacy statement about who is responsible for the processing of your Personal Data, for what purposes your Personal Data are processed, who the recipients are, what your rights are and how to exercise them, etc., unless it is impossible or it requires disproportionate efforts to do so.

In the event that the applicable data protection and applicable legislations requires prior consent, we will request for your consent before the collection of such personal data.

Legitimate Purpose, Limitation and Data Minimization

Your Personal Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

When the Company acts for its own purposes, your Personal Data is processed mainly for, but not limited to, the following purposes: recruitment management, human resources management, accounting and financial management and related controls and reporting, finance, treasury and tax management, risk management, management of employees’ safety, provision of active directory, IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management , including infrastructure management, systems management, applications, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering obligations or any other legal requirements, data analytics operations, legal corporate management and implementation of compliance processes.

Data Accuracy and Storage Limitation

The Company will keep Personal Data that is processed accurately and, where necessary, up to date. Also, we will only retain Personal Data for as long as necessary for the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements and, where required for the Company to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. If you want to learn more about our specific retention periods for your Personal Data established in our retention policy, you may contact us at either privacy.mea@sodexo.com or at dpo.group@sodexo.com Upon expiry of the applicable retention period we will securely destroy your personal data in accordance with applicable laws and regulations.

Local Data Protection Point of Contact for any queries or reporting any data breaches:

Ms. Rianna Lobo: privacy.mea@sodexo.com

Ms. Anupama Mahima: privacy.mea@sodexo.com

Third Party Beneficiary Rights

If applicable in your country, you can enforce the third-party beneficiary rights afforded to you by the Sodexo BCRs.

SECURITY OF YOUR PERSONAL DATA

We implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with our Group Information and Systems Security Policy.

We take, when appropriate, all reasonable measures based on Privacy by design and Privacy by default principles to implement the necessary safeguards and protect the Processing of Personal Data. We also carry out, depending on the level of risk raised by the processing, a Privacy impact assessment (“PIA”) to adopt appropriate safeguards and ensure the protection of the Personal Data. We also provide additional security safeguards for data considered to be Sensitive Personal Data.

DISCLOSURE OF YOUR PERSONAL DATA

We share your Personal Data, in the following circumstances:

with other Sodexo entities for the purposes described in this policy;
with third parties including certain service providers we have retained in connection with the purposes described in this policy and the services we provide;
with companies providing services for money laundering and terrorist financing checks and other fraud and crime prevention purposes and companies providing similar services, including financial institutions and regulatory bodies with whom such Personal Data is shared;
with courts, law enforcement authorities, regulators, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;
with service providers who we engage within or outside of the COMPANY, domestically or abroad, e.g. shared service centers, to process Personal Data for any of the purposes listed above on our behalf and in accordance with our instructions only;
if we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.

Sodexo has implemented the Sodexo’s Binding Corporate Rules (BCRs) within Sodexo Group. Therefore, even if the third countries in which Sodexo entities operate are located outside of the European Economic Area, your Personal data is protected in the same way that they would have been by any entity located within the European Economic Area.

INTERNATIONAL PERSONA DATA TRANSFERS

For transfers of your Personal Data to countries outside of the Middle East, either to entities within or outside of the global organizations of Sodexo entities, the COMPANY has put in place an adequate safeguard to protect your Personal Data. You will be provided with more information about any transfer of your Personal Data outside of the Middle East at the time of the collection of your Personal Data through appropriate privacy notices or privacy policies.

For further information, including obtaining a copy of the documents used to protect your information, please contact us at privacy.mea@sodexo.com or at dpo.group@sodexo.com

COOKIES

Some of our websites may use “cookies.” Cookies are portions of text that are placed on your computer’s hard drive when you visit certain websites. We may use cookies to tell us, for example, whether you have visited us before or if you are a new visitor and to help us identify features in which you may have the greatest interest. Cookies may enhance your online experience by saving your preferences while you are visiting a website.

We will let you know when you visit our websites what types of cookies we use and how to disable such cookies. When required by law, you will have the ability to visit our websites and refuse the use of cookies at any time on your computer. For more details, please consult our Cookies policies.

YOUR RIGHTS

Sodexo is committed to ensure protection of your rights under applicable laws. You will find below a table summarizing your rights as per your local legislation:

UNITED ARAB EMIRATES

Key Definitions:

Personal Data

Personal data is any information relating to an identified natural person or to a natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, voice, photo, an identification number, an online identifier, location data or to one or more factors specific to the physical, physiological, economic, cultural, or social identity of that natural person.

Sensitive Data

Sensitive data is any information that reveals, either directly or indirectly, a natural person's family, racial origin, political, philosophical, or religious beliefs, criminal records, biometric data, or any information concerning the health of such person, including the physical, psychological, mental, genetic, or sexual status of such person, including the provision of health care services, which reveals information about his or her health status.

Biometric Data

Biometric data is personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a data subject, which allow or confirm the unique identification of that data subject, such as facial images or dactyloscopic data.

Know your Rights:

Right of access and rectification

You can request a copy of the Personal Data we hold about you. You may also request rectification of inaccurate Personal Data, or to have incomplete Personal Data completed.

Right to opt -out

Right to erasure

You have a right to opt-out if the Personal Data is performed for direct marketing purposes or statistical surveys.

How to lodge a complaint

You can choose to lodge a complaint with The UAE Data Bureau established under the aforementioned Federal Decree by Law No. (44) of 2021 if you live in UAE, if there has been any alleged infringement of your personal data, regardless of whether you have suffered damages. You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence

To submit requests relating to data subject rights in the UAE please complete and submit this Requests Webform.

To know more about your rights, you can also reach out to us at privacy.mea@sodexo.com

Loading component...

QATAR

Key Definition

Personal Data

Sensitive Personal Data

Any information relating to an individual who is identified or can potentially be identified either from such data or from such data in conjunction with any other data.

Personal data revealing or relating to race or ethnicity, political affiliation, opinions, religious or philosophical beliefs, trade union or organizational membership, criminal records, health or sex life, and genetic and biometric data used to identify an individual.

Know your Rights:

Right of access and rectification

You can request a copy of the Personal Data, at no cost, we hold about you. You may also request rectification of inaccurate Personal Data, or to have incomplete Personal Data completed.

Right to Erasure

Your right to be forgotten entitles you to request the erasure of your Personal data in cases where:

the data is no longer necessary for the purpose for which it was collected;
you choose to withdraw your consent;
you object to the processing of your Personal Data;
your Personal Data has been unlawfully processed; erasure is required to ensure compliance with applicable laws.

Right to Opt-out

You may object (i.e., exercise your right to “opt-out”) to the processing of your Personal Data particularly in relation to profiling or to marketing communications.

Right to lodge a complaint

You can choose to lodge a complaint with the National Cyber Governance and Assurance Affairs (NCGAA) of the National Cyber Security Agency if you live in Qatar, if there has been any alleged infringement of your personal data, regardless of whether you have suffered damages. You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence

To submit requests relating to data subject rights in Qatar please complete and submit the Requests Webform.

To know more about your rights, you can also reach out to us at privacy.mea@sodexo.com

Loading component...

SOUTH AFRICA

Key Definitions

Personal Information/ Personal Data

Biometrics

means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

(b) information relating to the education or the medical, financial, criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

(d) the biometric information of the person;

(e) the personal opinions, views or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition;

Right of access and rectification

You can request a copy of the Personal Data we hold about you. You may also request rectification of inaccurate Personal Data, or to have incomplete Personal Data completed.

Right to be forgotten

Your right to be forgotten entitles you to request the erasure of your Personal data in cases where:

the data is no longer necessary for the purpose for which it was collected;
you choose to withdraw your consent;
you object to the processing of your Personal Data;
your Personal Data has been unlawfully processed; erasure is required to ensure compliance with applicable laws.

Right to object to processing

You may object (i.e., exercise your right to “opt-out”) to the processing of your Personal Data particularly in relation to profiling or to marketing communications. When we process your Personal Data on the basis of your consent, you can withdraw your consent at any time.

Right to lodge a complaint

You can choose to lodge a complaint with the Information Regulator if you live in South Africa and there has been any alleged infringement, regardless of whether you have suffered damages. You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence.

To submit requests relating to data subject rights in South Africa please complete and submit the Requests Webform.

To know more about your rights, you can also reach out to us at privacy.mea@sodexo.com

Loading component...

ALGERIA

Key Definition

Personal Data

Any information, regardless of the medium, relating to an identified or identifiable person, hereinafter referred to as "data subject", directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, genetic, biometric, mental, economic, cultural or social identity.

Sensitive Personal Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of the data subject or relating to health, including genetic data.

Right of access and rectification

You can request a copy of the Personal Data we hold about you. You may also request rectification of inaccurate Personal Data, or to have incomplete Personal Data completed.

Right to object to processing

Right to lodge a complaint

You can choose to lodge a complaint with the National Personal Data Protection Authority if you live in Algeria and if there has been any alleged infringement, regardless of whether you have suffered damages. You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence.

To submit requests relating to data subject rights in Algeria please complete and submit the Requests Webform

To know more about your rights, you can also reach out to us at privacy.mea@sodexo.com

Loading component...

OMAN

Key Definitions

Personal Data

Data that makes a natural person identified or identifiable directly or indirectly, by reference to one or more identifier(s), such as a name, an identification number, online identifier data or location data, or by reference to one or more element(s) specific to his genetic, physical, mental, physiological, social, cultural or economic.

Right of access and rectification

You can request a copy of the Personal Data we hold about you. You may also request rectification of inaccurate Personal Data, or to have incomplete Personal Data completed.

Right for Erasure

Your right to be forgotten entitles you to request the erasure of your Personal data in cases where:

the data is no longer necessary for the purpose for which it was collected;
you choose to withdraw your consent;
you object to the processing of your Personal Data;

your Personal Data has been unlawfully processed; erasure is required to ensure compliance with applicable laws.

Right to lodge a compliant

You can choose to lodge a complaint with the Ministry of Transport, Communications, and Information Technology if you live in Oman, if there has been any alleged infringement, regardless of whether you have suffered damages. You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence

To submit requests relating to data subject rights in the Oman please complete and submit this Requests Webform.

To know more about your rights, you can also reach out to us at privacy.mea@sodexo.com.

For more details, consult the Global Data Protection Rights Management Policy.

UPDATE

We may update this policy from time to time as our business changes or legal requirements change. If we make any significant changes to this policy, we will post a notice on our website when the changes go into effect, and where appropriate, send a direct communication to you about the change.

CONTACT US

If you have questions, comments and requests regarding this policy you can send address them to the Local Data Protection Point of Contact at privacy.mea@sodexo.com or dpo.group@sodexo.com; or send a letter to The Company Sodexo SA, Group Data Protection Officer, 255 quai de la bataille de Stalingrad, 92130 Issy-les-Moulineaux, France

Local Data Protection Officer for Sodexo Middle East and Africa Region

Ms. Rianna Lobo: privacy.mea@sodexo.com

Ms. Anupama Mahima: privacy.mea@sodexo.com

DEFINITIONS

Complaint means the complaint lodged by a Data subject with a Supervisory Authority or a court of justice if the Data subject considers his or her rights under applicable local law are infringed.

Controller means the entity that determines the purposes and means of the Personal Data processing.

Data Breach means breaching information security and Personal Data through illegal or unauthorized access. This includes copying, sending, distributing, exchanging, transferring, circulating or processing it in a way which leads to disclosure of such data to third parties, or destroying or modifying it during storage, transfer and processing.

Local Data Protection Point of Contact means the person appointed by a Sodexo entity, in charge of handling local data privacy issues. This point of contact is part of the Global Data Protection Network.

Processing or Processing of Personal Data means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Sodexo entity or Sodexo entities means any corporation, partnership or other entity or organization which is admitted from time to time as member of the Sodexo Group.