Last update: December 30th, 2021
Preamble
Sodexo is committed to handling Personal Information in compliance with the Personal Information Protection Law of PRC, Cyber Security Law of the PRC, Data Security Law of the PRC, and any other applicable law and aims to deal promptly and efficiently with any queries relating to the Sodexo entities’ processing of Personal Information.
In some cases, Sodexo entities may act as a Trustee on behalf of a Client. In this instance the Client is responsible for handling Data subject Requests relating to compliance with Applicable Data Protection Law and the Data subject’s Personal Information.
Definitions
- Client means organizations or corporations that ask Sodexo to perform services on their behalf for their employees / Onsite personnel that are the end-users of these services.
- Complaint means the complaint lodged by a Data subject with a Supervisory Authority or a court of justice if the Data subject considers his or her rights under Applicable Data Protection Law are infringed.
- Personal Information Controller means any organization or individual that independently determines the purpose and method of processing in their activities of processing of personal information.
- Data subject means an identified or identifiable individual whose Personal Information is concerned by processing within Sodexo, including the Personal Information of Sodexo’s current, past and prospective applicants, employees, clients, consumers/beneficiaries, suppliers/vendors, contractors/subcontractors, shareholders or any third parties.
- Applicable Data Protection Law means the Personal Information protection law, regulations and other regulatory documents in Mainland China, including but not limited to: Civil Code of the People’s Republic of China, Cyber Security Law of the People's Republic of China, Personal Information Protection Law of the People’s Republic of China, Data Security Law of the People’s Republic of China, Law of the People's Republic of China on the Protection of Consumer Rights and Interests, Provisions on the Cyber Protection of Personal Information of Children, and other applicable laws and regulations.
- Local Single Data Protection Point of Contact means the individual appointed by a Sodexo entity, in charge of handling local data protection issues. In some cases, the Local Single Data Protection Point of Contact can be appointed as Local Data Protection Officer where required by Applicable Data Protection Law.
- Personal Information means any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, including but not limited to name, data of birth, ID number, personal biological identification information, address, and telephone number of the natural person, while excluding information that has been anonymized.
- Processing or Personal Information Processing means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
- Request means one of the mechanisms provided by Applicable Data Protection Law to individuals to allow them to exercise their rights (such as the right of access, to rectification, to deletion etc.). An individual may make a Request against any entity which processes his/her Personal Information.
- Sodexo entity or Sodexo entities means any corporation, partnership or other entity or organization which is admitted from time to time as a member of the Sodexo Group. Collectively ‘Sodexo’.
- Supervisory Authority means independent public authorities which is established by Mainland China as specific in applicable laws and regulations.
Scope
This policy applies to all Sodexo entities in Mainland China (hereinafter designated as “Sodexo”).
This policy applies to the Processing of Personal Information collected by Sodexo, directly or indirectly, from all individuals including, but not limited to Sodexo’s current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties, with “Personal Information” being defined as any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized .
In this policy, “you” and “your” means any covered individual. “We”, “us”, “our” and “Sodexo” means the Sodexo entities in Mainland China.
Your rights under APPLICABLE DATA PROTECION laws
Where Sodexo processes your Personal Information for its own purposes, please consult the Section “Your Rights” of our Sodexo Data Protection Policy (Mainland China).
Where Sodexo processes Personal Information on behalf of a Client, Sodexo will notify the Client of any Data subject’s Request received. Sodexo will cooperate and provide the Client with assistance in relation to the Request, to the extent legally permitted.
What our teams will do if they receive a Request?
Our approach is to engage positively and resolve your Request in a satisfactory manner without you having to file a complaint to the local Court or the relevant Data Protection Supervisory Authority.
If you have any queries with the Processing of your Personal Information, you should not hesitate to raise your query to Sodexo. To help us to deal with your Request, please provide a full written explanation of your query by completing the Request Form below or by completing the Request webform.
Sodexo shall inform its Client acting as Personal Information Controller of any Request made by a Data subject as soon as possible. The Client will be in charge of handling such Request and Sodexo will assist the Client in responding to Data subject Requests. Sodexo will directly handle Requests only when it is agreed with the Client or if the Client disappeared or cease to exist in law or became insolvent. In all other cases, Sodexo will assist the Client in responding to Data subject Requests.
Handling Requests
At the time of drafting your Request and to allow Sodexo to deal promptly with your Request in the most efficient manner, you are invited to follow these steps:
STEP 1: Complete and submit the Request webform or the Request Form by email to the generic email address as indicated in the information notices and/or the privacy policies provided to you at the time of the collection of your Personal Information.
STEP 2: Your Request will be treated confidentially and fully investigated where necessary. During this process, you may receive additional communication from the relevant Sodexo’s Local Single Data Protection Point of Contact to investigate your concern. If you have not provided sufficient information in your Request, we will let you know what further information is needed to process your Request.
STEP 3: Once the information related to your Request is complete, we will contact you within fifteen (15) working days to provide you with an answer. In case we cannot respond to your request in a timely manner or where there are valid grounds for refusal in accordance with the Applicable Data Protection Law, we will notify you in writing of the reasons for the delay.
STEP 4: Please note that you can choose to lodge a complaint with the Data Protection Supervisory Authority regardless of whether you have suffered damages. You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence.