Your privacy is very important to us. We have developed this Sodexo Hong Kong Data Protection Policy in order for you to understand how we collect, use, store, share, transmit, transfer, delete or otherwise process (collectively “process”) your Personal Data. This Sodexo Hong Kong Data Protection Policy describes the measures we take to ensure the protection of your Personal Data. We also tell you how you can reach us to answer any questions you may have about data protection.

SCOPE

This policy applies to the Processing of Personal Data collected by Sodexo, directly or indirectly, from all individuals including, but not limited to Sodexo’s current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties, with “Personal Data” being defined as any data that relates to an identified or identifiable individual or a person who may be identified by means reasonably likely to be used.

In this policy, “you” and “your” means any covered individual. “We”, “us”, “our” and “Sodexo” means the global organization of Sodexo entities.

COLLECTION AND PROCESSING USE OF YOUR PERSONAL DATA

COMPLIANCE WITH THE DATA PROTECTION LAW AND ANY ADDITIONAL APPLICABLE LAW

We are committed to complying with the Data Protection Law and any applicable laws relating to Personal Data and we shall ensure that Personal Data is collected and processed in accordance with provisions of the Data Protection Law and other applicable laws.

LAWFULNESS, FAIRNESS AND TRANSPARENCY

We do not collect or process Personal Data without having a lawful reason to do so. We may have to collect and process your Personal Data where necessary for the performance of a contract to which you are party, or when it is necessary for compliance with a legal obligation to which we are subject or where required, with your prior consent. We may also collect and process your Personal Data for Sodexo’s legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms.

When collecting and processing your Personal Data, we will provide you with a fair and full information notice or privacy statement about who is responsible for the processing of your Personal Data, for what purposes your Personal Data are processed, who the recipients are, what your rights are and how to exercise them, etc., unless it is impossible or it requires disproportionate efforts to do so.

When required by applicable law, we will seek your prior consent (e.g. before collecting any Personal Data we regard as sensitive).

LEGITIMATE PURPOSE, LIMITATION AND DATA MINIMIZATION

Your Personal Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

When Sodexo acts for its own purposes, your Personal Data is processed mainly for, but not limited to, the following purposes: recruitment management, human resources management, accounting and financial management and related controls and reporting, finance, treasury and tax management, risk management, management of employees’ safety, provision of active directory, IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management , including infrastructure management, systems management, applications, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering obligations or any other legal requirements, data analytics operations, legal corporate management and implementation of compliance processes.

DATA ACCURACY AND STORAGE LIMITATION

Sodexo will keep Personal Data that is processed accurate and, where necessary, up to date. Also, we will only retain Personal Data for as long as necessary for the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements and, where required for Sodexo to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. If you want to learn more about our specific retention periods for your Personal Data, you may contact us at dpo.hk@sodexo.com.

Upon expiry of the applicable retention period we will securely destroy your personal data in accordance with applicable laws and regulations.

SECURITY OF YOUR PERSONAL DATA

We implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with our Group Information & Systems Security Policy.

We take, when appropriate, all reasonable measures based on Privacy by design and Privacy by default principles to implement the necessary safeguards and protect the Processing of Personal Data. We also carry out, depending on the level of risk raised by the processing, a privacy impact assessment to adopt appropriate safeguards and ensure the protection of the Personal Data. We also provide additional security safeguards for Personal Data we consider to be sensitive.

DISCLOSURE OF YOUR PERSONAL DATA

We share your Personal Data, in the following circumstances:

INTERNATIONAL PERSONAL DATA TRANSFERS

The Data Protection Law prohibits the transfer of Personal Data to a place outside Hong Kong except in specified circumstances. For transfers of your Personal Data outside Hong Kong, we will take all reasonable precautions and exercise all due diligence to ensure that the data will not be dealt with in a manner that would constitute a contravention of the Data Protection Law.

For further information, including obtaining a copy of the documents used to protect your information, please contact us at dpo.hk@sodexo.com.

COOKIES

Some of our websites may use “cookies.” Cookies are portions of text that are placed on your computer’s hard drive when you visit certain websites. We may use cookies to tell us, for example, whether you have visited us before or if you are a new visitor and to help us identify features in which you may have the greatest interest. Cookies may enhance your online experience by saving your preferences while you are visiting a website.

We will let you know when you visit our websites what types of cookies we use and how to disable such cookies. When required by law, you will have the ability to visit our websites and refuse the use of cookies at any time on your computer. For more details, please consult our Cookies Policy.

YOUR RIGHTS

Sodexo is committed to ensure protection of your rights under applicable laws. You will find below a table summarizing your different rights. The following table is not an exhaustive list and other rights as stipulated in applicable laws, regulations and other relevant documents as amended from time to time may apply.

Right of access and rectification

 

You have the right to make a “data access request” pursuant to the Data Protection Law. This right enables you to request a copy of the Personal Data we hold about you. You may also request rectification of inaccurate Personal Data after you have been provided with a copy of your Personal Data following a data access request.

Right to opt out from direct marketing activities

 

We are required to notify you and obtain your consent before using your Personal Data in any direct marketing activities or transferring your data to a third party for direct marketing activities.

We will not provide your personal data to third parties for direct marketing or other unrelated purposes without your consent.

Right to lodge a Complaint

 

You can choose to lodge a Complaint with the Commissioner, in compliance with the Data Protection Law. A complaint must be in writing in Chinese or English and must specify the act or practice complained of and the data user involved.

Please visit the website of the Office of the Privacy Commissioner for Personal Data, Hong Kong at the following address: https://www.pcpd.org.hk/tc_chi/complaints/introduction/introduction.html for the various complaint channels available.

You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence.

To exercise these rights, you can either send your Request to the generic email address as indicated in the privacy notices and/or the privacy policies provided to you at the time of the collection of your Personal Data and/or your Local Single Data Protection Point of Contact at dpo.hk@sodexo.com. For more details, consult the Data Protection Requests Policy.

CHILDREN

Children merit specific protection with regard to their Personal Data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the Processing of Personal Data. Such specific protection should, in particular, apply to the use of Personal Data of children for the purposes of marketing or creating personality or user profiles and the collection of Personal Data with regard to children when using services offered directly to a child.

We do not collect and process Children’s Personal Data without the consent of the holder of parental responsibility where required. In particular, we do not promote or market our services to Children, except for specific services and upon the consent of the holder of parental responsibility. If you believe that we have mistakenly collected a child's Personal Data, please notify us using the contact details provided below.

UPDATE

We may update this policy from time to time as our business changes or legal requirements change. If we make any significant changes to this policy, we will post a notice on our website when the changes go into effect, and where appropriate, send a direct communication to you about the change.

CONTACT US

If you have questions, comments and requests regarding this policy, please contact your Local Single Data Protection of Contact at the following email address: dpo.hk@sodexo.com .

DEFINITIONS