Purpose of this policy
- This Policy may be amended, supplemented, or updated, to comply with any legal, regulatory, case law or technical developments that may arise.
- We are part of the Sodexo group of Companies. We provide a first-class catering solution to the education sector.
IDENTITY AND CONTACT DETAILS OF THE CONTROLLER
- Sodexo Ltd registered offices at One Southampton Row, London, WC1B 5HA. Email : DataProtection.UKandIE@Sodexo.com
“Personal data” means any information relating to an identified natural person or one that can be directly or indirectly identified by reference to an identification number or to one or more factors specific to this person.
“us” or “our” Sodexo Ltd
“you” data subject and any website user/visitor
COLLECTION AND SOURCE OF PERSONAL DATA
- We normally obtain information via contractual agreements with our staff and clients. We may also obtain personal information such as email addresses and telephone numbers from potential clients and suppliers.
- If you are a parent, using the School Food United portal, which facilitates contact-free ordering and payment of school meals, privacy information can be found on that website.
- Personal data may be provided by the school we provide meals to, if this is necessary to provide the service and may include allergen information.
WHAT ARE THE TYPES OF PERSONAL DATA COLLECTED AND USED BY US?
Names, addresses, telephone numbers, other contact information, payment and financial information, due diligence information, allergen information, meta data, transactional data, and communications between us.
HOW AND FOR WHICH PURPOSES WILL THE PERSONAL DATA COLLECTED BE USED?
- To provide, deliver and improve the services and offers we provide.
- Send and receive payments, fulfil and manage our contractual relationships, arising from any contracts we have in place.
- To notify you of changes to our services.
- Seek feedback and perform statistics analyses.
- To carry out data analytics and statistical analysis to monitor the quality and operational excellence of Our services and this website.
- To manage Our contractual relationship with You.
- To prevent potential fraud and ensure the security of Our IT systems.
- To comply with Our legal and regulatory obligations.
ON WHICH LEGAL BASIS WILL MY PERSONAL DATA BE COLLECTED AND PROCESSED?
- We may have to collect and process your Personal data where necessary for legal obligations, the performance of a contract to which You are subject or for the benefit of the pupils to whom we provide the service, as well as for Sodexo’s legitimate interests except where such interests are overridden by your or the pupils’ interests or fundamental rights and freedoms. In relation to allergen information this may also be to protect the vital interests of an individual. Consent may also be used where appropriate (for example in relation to marketing to individuals).
TO WHOM WILL THE PERSONAL DATA BE DISCLOSED?
- Only those within the organization who need to have access to your personal data to fulfil their duties and our contractual obligations with you will have access to the information for example the finance department need bank details in order to make payments.
- We will not disclose your Personal data to any unauthorized third parties. Where data is disclosed to Third party service providers, it is in order to provide the service or fulfil the contract or to provide us with services.
- Your Personal data will only be available to internal or external third parties, who need such access for the purposes listed above or where required by law, for claims, or to prevent fraud.
- Personal data may be shared with other Sodexo Group Companies only where necessary, for fulfilment of an order, where joint services are provided, or for legal, reporting or business re-organisation (sales and purchases).
- We will not rent or sell your data to third parties
- We will not share your data with third parties for marketing purposes
- The main categories of data recipients are the following (without this list being exhaustive): authorized internal persons, third-party service providers or other contractors who process Personal data on behalf of Sodexo and, as the case may be, judicial and regulatory authorities.
- We do not authorize Our service providers to use or disclose your Personal data, except to the extent necessary to deliver the services on Our behalf or to comply with legal obligations.
- In the unusual circumstance that personal data could be shared with a company outside UK/EEA, we will ensure an appropriate adequacy based is used, this is usually standard contractual clauses.
HOW WILL THE PERSONAL DATA BE PROTECTED?
- We implement appropriate technical and organizational measures to protect Personal data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with Our Group Information & Systems Security Policy.
- We take, when appropriate, all reasonable measures based on privacy by design and privacy by default principles to implement the necessary safeguards and protect the Personal data processing. We also carry out, depending on the level of risk raised by the processing, a privacy impact assessment to adopt appropriate safeguards and ensure the protection of the Personal data. We also provide additional security safeguards for data considered to be sensitive Personal data.
- Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Application, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
- Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Application; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
HOW CAN I ACCESS MY PERSONAL DATA?
- We are committed to ensure protection of your rights under applicable laws. You will find below a table summarizing your different rights, where applicable:
RIGHT OF ACCESS
You can request access to your Personal data. You may also request rectification of inaccurate Personal data, or to have incomplete Personal data completed.
You can request any available information as to the source of the Personal data, and You may also request a copy of your Personal data being processed by Us.
RIGHT TO BE FORGOTTEN
Your right to be forgotten entitles You to request the erasure of your Personal data in cases where:
RIGHT TO RESTRICTION OF PROCESSING
You may request the restriction of processing in the cases where:
RIGHT TO DATA PORTABILITY
You can request, where applicable, the portability of your Personal data that You have provided to Us, in a structured, commonly used, and machine-readable format You have the right to transmit this data to another Controller without hindrance from Us where:
You can also request to transmit directly your Personal data to a third party of your choice (where technically feasible).
RIGHT TO OBJECT TO PROCESSING FOR THE PURPOSES OF DIRECT MARKETING
You may object (right to “opt-out”) to the processing of your Personal data (notably to profiling or to marketing communications). When we process your Personal data on the basis of your consent, You can withdraw your consent at any time.
RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISIONS
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You.
RIGHT TO LODGE A COMPLAINT TO THE COMPETENT SUPERVISORY AUTHORITY
You can choose to lodge a Complaint with the Data Protection Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages. Personal Data
This electronic system allows you to log in and see the progress of your request, see and send messages and review your documents securely. This system is called One Trust and after making the request you will be sent details about how to log on.
Alternatively, you can also send your request by email to DSAR.UKandIE@sodexo.com, in writing to Sodexo Ltd 310 Broadway, Salford, M50 2UE or by calling Sodexo PeopleCentre on 0845 603 3644 and asking for DSAR team. The team will liaise with you about how you to contact you about your request and receive information. Please note that it is usually necessary to arrange a telephone appointment to discuss your request once it has been made.
If you wish to unsubscribe to marketing emails communications, you can also do so by changing your preferences on your account.
HOW LONG WILL MY PERSONAL DATA BE HELD?
- We will keep Personal Data that is processed accurate and, where necessary, up to date. We only keep Personal Data for as long as necessary for the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements and, where required for us to assert or defend against legal claims, until approximately 6 months after the end of any relevant legal limitation period.
- If you want to learn more about our specific retention periods for your Personal Data established in our retention policy you may contact us at DataProtection.UKandIE@sodexo.com or write to us. Upon expiry of the applicable retention period we will securely destroy your personal data in accordance with applicable and regulations.