Your privacy is very important to us. We have developed this Sodexo Data Protection Policy (Mainland China) in order for you to understand how we collect, use, store, share, transmit, transfer, delete or otherwise process (collectively “process”) your Personal Information. This Sodexo Data Protection Policy (Mainland China) describes the measures we take to ensure the protection of your Personal Information. We also tell you how you can reach us to answer any questions you may have about data protection.




The Sodexo Data Protection Policy (Mainland China) applies to all Sodexo entities in Mainland China (hereinafter designated as “Sodexo”).

This policy applies to the Processing of Personal Information collected by Sodexo, directly or indirectly, from all individuals including, but not limited to Sodexo’s current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties, with “Personal Information” being defined as any kind of information related to an identified or identifiable natural personal as electronically or otherwise recorded, including but not limited to name, data of birth, ID number, personal biological identification information, address, and telephone number of the natural person, excluding information that has been anonymized.

In this Policy, “you” and “your” means any covered individual. “We”, “us”, “our” and “Sodexo” means the Sodexo entities in Mainland China.


Collection and processing use of your Personal Information

Compliance with ALL applicable lawS AND REGULATIONS

We are committed to complying with any applicable legislation relating to Personal Information.



Lawfulness, fairness and transparency

We do not collect or process Personal Information without having a lawful reason to do so. We may have to collect and process your Personal Information where necessary for the performance of a contract to which you are one party, or where necessary for compliance with a statutory responsibility or a legal obligation to which we are subject or where required, with your prior consent. We may also collect or process your Personal Information for responding to a public health emergency, or for protecting the life, health or property safety of a natural personal in case of an emergency, or carrying out any new reporting, supervision by public opinions or any other activity for public interest purposes within a reasonable scope. In addition, we may also collect or process your Personal Information which has been disclosed by yourself or otherwise legally disclosed within a reasonable scope.

Before collecting and processing your Personal Information, we will provide you with a fair and full information notice or privacy statement about who is responsible for the processing of your Personal Information, for what purposes your Personal Information are processed, who the recipients are, what your rights are and how to exercise them, etc., unless such prior consent is not required under applicable laws or regulations.

When required by applicable law, we will seek your prior consent (e.g. before collecting any Sensitive Personal Information).



legitimate Purpose, Limitation and data minimization

Your Personal Information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

When Sodexo acts for its own purposes, your Personal Information is processed mainly for, but not limited to, the following purposes: recruitment management, human resources management, accounting and financial management and related controls and reporting, finance, treasury and tax management, risk management, management of employees’ safety, provision of active directory, IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management, including infrastructure management, systems management, applications, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering obligations or any other legal requirements, data analytics operations, legal corporate management and implementation of compliance processes.



Data accuracy and storage limitation

Sodexo will keep Personal Information that is processed accurate and, where necessary, up to date.  Also, we will only retain Personal Information for as long as necessary for the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements and, where required for Sodexo to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. If you want to learn more about our specific retention periods for your Personal Information established in our retention policy, you may contact us at

Upon expiry of the applicable retention period we will securely destroy your Personal Information in accordance with applicable laws and regulations.


security of your Personal Information

We implement appropriate technical and organizational measures to protect Personal Information against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with our Group Information and System Security Policy.

We take, when appropriate, all reasonable measures based on Privacy by design and Privacy by default principles to implement the necessary safeguards and protect the Processing of Personal Information. We also carry out, depending on the level of risk raised by the processing, a Privacy impact assessment (“PIA”) to adopt appropriate safeguards and ensure the protection of the Personal Information. We also provide additional security safeguards for data considered to be Sensitive Personal Information.

Disclosure of your Personal Information

We share your Personal Information, in the following circumstances:


International Personal Information transfers

If we transfer your Personal Information overseas, we will implement appropriate measures based on applicable laws and regulations to ensure compliance.


Some of our websites may use “Cookies.” Cookies are portions of text that are placed on your computer’s hard drive when you visit certain websites. We may use cookies to tell us, for example, whether you have visited us before or if you are a new visitor and to help us identify features in which you may have the greatest interest. Cookies may enhance your online experience by saving your preferences while you are visiting a website.

We will let you know when you visit our websites what types of cookies we use and how to disable such cookies. When required by law, you will have the ability to visit our websites and refuse the use of cookies at any time on your computer. For more details, please consult our Cookies Policy.


Your rights

Sodexo is committed to ensure protection of your rights under applicable laws. You will find below a table summarizing your different rights. The following table is not an exhaustive list and other rights as stipulated in applicable laws, regulations and other compulsory documents as amended from time to time may apply.


Right of access and rectification

You can request access to your Personal Information we hold about you. You may also request rectification of inaccurate Personal Information, or to have incomplete Personal Information completed.

Right of copies

You can reasonably request copies of your personal information that we have in possession, we will try our best to provide you such copies if technology permits.

Right to object

You can object to the processing of your personal information for legitimate reasons, unless the data processing is implemented in accordance with mandatory provisions of applicable law or for the fulfillment of specific contract.

Right to delete

You can request to delete your Personal Information we hold about you.

Right to change the scope of your authorization

You can contact us through the contact information listed in this policy to change or withdraw the scope of our collection and processing of your Personal Information. When you withdraw your authorization, we will no longer process the corresponding Personal Information. Please note that your decision to withdraw your authorization will not affect our previous Personal Information processing activities based on your authorization. If the scope of the Personal Information you withdraw includes the Personal Information which we must collect in order to provide you with products and/or services, it may affect your normal usage of the corresponding products and/or services. In addition, with regard to the Personal Information we collect to fulfill our obligations under laws and regulations, if you request to change the scope of your authorization, we may not be able to respond to your such request.

Right to lodge a complaint with the Supervisory Authorities

You can choose to lodge a Complaint with the relevant Supervisory Authorities regardless of whether you have suffered damages. You also have the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence.

Right not to be subject to automated decisions

You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal affect upon you or significantly affects you.



You may, at any time, exercise any of the above rights or contact us with any data protection related queries or concerns:


- by completing the Request form and send it to the generic email address as indicated in the privacy notices and/or the privacy policies provided to you at the time of the collection of your Personal Data or,

- by completing and submitting the dedicated Request webform;

For more details, consult the Sodexo Data Protection Rights Management Policy (Mainland China)


Children merit specific protection with regard to their Personal Information, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the Processing of Personal Information. Such specific protection should, in particular, apply to the use of Personal Information of children for the purposes of marketing or creating personality or user profiles and the collection of Personal Information with regard to children when using services offered directly to a child.

Sodexo is committed to comply with the Provisions on the Cyber Protection of Personal Information of Children and other relevant laws and regulations. We do not collect and process Children’s Personal Information without the consent of the holder of parental responsibility where required. In particular, we do not promote or market our services to Children, except for specific services and upon the consent of the holder of parental responsibility. If you believe that we have mistakenly collected a Children's Personal Information, please notify us using the contact details provided below.


We may update this Policy from time to time as our business changes or legal requirements change. If we make any significant changes to this policy, we will post a notice on our website when the changes go into effect, and where appropriate, send a direct communication to you about the change.

Contact Us

If you have questions, comments and requests regarding this policy, you can send them to your Local Data Protection of Contact at the following email address:


Complaint means the complaint lodged by a Data subject with a Supervisory Authority or a court of justice if the Data subject considers his or her rights under Applicable Data Protection Law are infringed.

Personal Information Controller means any organization or individual that independently determines the purpose and method of processing in their activities of processing of personal information.

Applicable Data Protection Law means the Personal Information protection law, regulations and other regulatory documents in Mainland China, including but not limited to: Civil Code of the People’s Republic of China, Cyber Security Law of the People's Republic of China, Personal Information Protection Law of the People’s Republic of China, Data Security Law of the People’s Republic of China, Law of the People's Republic of China on the Protection of Consumer Rights and Interests, Provisions on the Cyber Protection of Personal Information of Children, and other applicable laws and regulations.

Local Special Data Protection Point of Contact means the person appointed by a Sodexo entity, in charge of handling local data privacy issues. This point of contact is part of the Global Data Protection Network.

Personal Information means any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, including but not limited to name, data of birth, ID number, personal biological identification information, address, and telephone number of the natural person, while excluding information that has been anonymized.

Processing or Processing of Personal Information means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Privacy by design means that where a new digital project or a new business opportunity is initiated, involving Processing of Personal Information, data protection shall be taken into account, both at the time of the definition of the means and the related appropriate technical and organizational security measures for the Processing and at the time of the implementation of Processing itself. The same principle applies where Sodexo intends to merge with or acquire a company, it shall make sure that data protection principles are respected.

Privacy by default means that personnel should be trained to handle Personal Information and implement procedures to ensure that each time Personal Information is processed, appropriate technical and organizational measures are taken for ensuring that, by default, only Personal Information which is necessary for each specific purpose is processed (in terms of amount of data processed, extent of the processing and data retention) and is made accessible only to a limited number of persons who need to know.

Request means one of the mechanisms provided by Applicable Data Protection Law to individuals to allow them to exercise their rights (such as the right of access, to rectification, to deletion etc.). An individual may make a Request against any entity which processes its Personal Information.

Sensitive Personal Information means the personal information that may cause harm to personal or property security, or is very likely to result in damage to an individual's personal reputation or physical or mental health or give rise to discriminatory treatment, once it is leaked, unlawfully provided or abused, including but not limited to ID number, personal biometric information, bank account information, communication records and content, property information, credit information, records of whereabouts, accommodation information, health information, transaction information, and the Personal Information of minors up to 14 years of age, etc.

Sodexo entity or Sodexo entities means any corporation, partnership or other entity or organization which is admitted from time to time as member of the Sodexo Group in Mainland China.

Supervisory Authority means independent public authorities which is established by Mainland China as specific in applicable laws and regulations.