Supply Management Data Policy

Purpose of this Policy

  • This Supply Management (hereafter referred to as “SM”) Data Protection Policy (the “Policy”) sets out our general approach to dealing with your personal data collected from you or otherwise received by Sodexo and its subsidiaries or affiliates (“we”, “us”) for the purposes of supplier management and especially for the management of the Supplier Information Management System and Vendor Application Form as well as for the management of our supplier management business relationships (the “SM Services”). This Policy is governed by the local laws of your country applicable to You, namely the laws of Singapore, Malaysia, Philippines, Thailand, Vietnam or Indonesia. If there is any conflict between this Policy and the data protection laws in your country, then such laws, where applicable, will prevail. 
  • This Policy may be amended, supplemented, or updated, in particular to comply with any legal, regulatory, case law or technical developments that may arise. 

What is included in our SM Services?

  • The SM Services include the management of the Supplier Information Management System and Vendor Application Form which are used to manage our supplier management accounts and contracts, contact information, our supply chain and, in particular, for market or business analysis, SM pipeline and strategic intelligence. 
  • The SM Services are provided by Sodexo to our supplier(s), our subcontractor(s), and/or the employee(s) of our supplier(s) and subcontractor(s).
  • Access to the SM Services is limited to Sodexo authorized persons within the SM team on a need-to-know basis (including users responsible for managing SM, as well as authorized persons including Marketing, Retention, Operations, IS&T, Strategic Planning, Finance, Communication or Legal departments). Security and access rights are strictly managed in accordance with pre-defined user requirements. 

Definitions

  • Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal data.
  • Personal data” means any information relating to an identified natural person or one that can be directly or indirectly identified by reference to an identification number or to one or more factors specific to this person. 
  •  “Sodexo” means the applicable Sodexo local entity with its registered office in South East Asia, namely, Sodexo Singapore Pte Ltd in Singapore, Sodexo Malaysia Sdn Bhd in Malaysia, PT Sodexo Indonesia in Indonesia, Sodexo Services (Thailand) Co., Ltd in Thailand, Sodexo Vietnam Company Limited in Vietnam, or Sodexo On-Site Services Philippines, Inc. in Philippines.
  • Our” means Sodexo and its subsidiaries or affiliates, insofar as it is concerned.
  • You” means any user of the Supplier Information Management System or Vendor Application Form.

Who operates the SM services?

  • With regards to the Supplier Information Management System, Sodexo S.A., a company existing and organized under the laws of France, its registered office at 255, Quai de la Bataille de Stalingrad, 92130 Issy-les-Moulineaux, registered at the Registry of Commerce and Companies of Nanterre under the number RCS B 301 940 219 RCS Nanterre, operates the SM Services and acts as the data controller at a group level pursuant to its acceptation under French data protection law. 
  • With regards to the Vendor Application Form, the SM Services are operated by the Sodexo local entities in Singapore under Singapore data protection law, Malaysia under Malaysian data protection law, Philippines under Philippine data protection law, Thailand under Thailand data protection law, Vietnam under Vietnam data protection law, or Indonesia under Indonesian data protection law. 
  • Collection and source of Personal data 
  • We will most likely collect your Personal data directly from You (from the hard copy or soft copy Vendor Application Form that You filled in or the Supplier Information Management System) or indirectly (via SM or Operations teams, as well as external sources).
  • We undertake to obtain your consent and/or to allow You to refuse the use of your Personal data for certain purposes whenever necessary.

What are the types of Personal data collected and used by us?

  • We may collect and use the following categories of Personal data relating to You:
  • The information that You provide for authentication purposes including your name (first name and last name) and your professional contact details (for example, business email address and business phone number etc.); and
  • The information that You provide (for example, for the purposes of reviewing questionnaire online, to participate in surveys, for marketing purposes, etc.).

How and for which purposes will the Personal data collected be used?

  • We use your Personal data specifically for the following purposes:
  • Management of your account and your access to the Supplier Information Management System;
  • Management of our contractual relationship with You;
  • Management of supply chain and supply chain pipeline;
  • Communicate with You and respond to your queries or requests; 
  • Protect, enforce and fulfil our contractual and legal rights and obligations;
  • Prevent, detect and investigate crime, including fraud and money-laundering, and analyse and manage other commercial risks;
  • Manage our infrastructure and business operations and comply with internal policies and procedures;
  • Facilitate business asset transactions (which may extend to any merger, acquisition or asset sale) involving Sodexo or any of its affiliates;
  • Comply with any applicable rules, laws and regulations, codes of practice or guidelines or assist in law enforcement and investigations by relevant authorities;
  • Market, business and strategic intelligence;
  • To help us review, develop, improve, manage the delivery of and – to the extent this requires the use of Personal data – enhance our products, services and supply chain;
  • To provide, deliver and improve the services available on our system;
  • To conduct satisfaction surveys and perform statistical analyses;
  • To carry out data analytics and statistical analysis to monitor the quality and operational excellence of our services;
  • To customize your experience on the Supplier Information Management System;
  • To prevent potential fraud and ensure the security of our IT systems; and
  • To comply with our legal and regulatory obligations.

On which legal basis will your Personal data be collected and processed? 
We collect and process your Personal data where necessary for the performance of a contract to which You are subject as well as for Sodexo’s legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms. We will also rely on your consent to collect and process any sensitive Personal data. You will be able to withdraw your consent at any time.

To whom will my Personal data be disclosed?

  • We will not disclose your Personal data to any unauthorized third parties. Your Personal data will only be available to internal or external third parties, who need such access for the purposes listed above or where required by law. 
  • The main categories of data recipients are the following (without this list being exhaustive): authorized internal persons, third-party service providers or other contractors who process Personal data on behalf of Sodexo and, as the case may be, judicial and regulatory authorities.
  • We do not authorize our service providers to use or disclose your Personal data, except to the extent necessary to deliver the services on our behalf or to comply with legal obligations. Furthermore, we may share Personal data concerning You (i) if the law or a legal procedure requires us to do so, (ii) in response to a request by public authorities or other officials or (iii) if we are of the opinion that transferring this data is necessary or appropriate to prevent any physical harm or financial loss or in respect of an investigation concerning a suspected or proven unlawful activity.
  • Different access levels are applied to data in the context of our SM Services to ensure that such data is visible only to appropriate users and groups who need such access for the purposes listed above or where required by law; those access levels also determine whether data will be searchable in the SM Services.
  • Your Personal data is hosted in United Kingdom, Ireland, and Paris by our third-party service provider. Sodexo has indeed contracted with a third-party service provider to manage the SM Services and provide technical and other support for the applications. Your Personal data may be disclosed and transferred to such third-party service provider and other contractors as deemed necessary for the purposes described in this Policy. All third-party service providers involved in the provision or the management of the SM Services has been engaged under an agreement with Sodexo, whereby said third-party may act only upon the instructions of Sodexo. These third-party service providers may only access the SM Services for the purposes of hosting the database, providing technical support, and providing services that enhance the efficiency of the SM Services. Relevant personnel have been trained and authorized to support the SM Services. Additionally, your Personal data set out in (i) the Vendor Application Forms and (ii) the additional documents attached to these forms, are stored in Singapore, Malaysia, Philippines, Thailand, Vietnam, or Indonesia by the relevant Sodexo entity. 
  • This third-party service provider and/or other contractors, as the case may be, may be located in countries where data protection laws may not provide a level of protection equivalent to the local laws of your country applicable to You. If Sodexo discloses your Personal data to such recipients, we will ensure that, prior to receiving or accessing remotely to any of your Personal data, they will provide an adequate level of protection for your Personal data including appropriate technical and organizational security measures. In particular, if the recipients concerned are located in a country that does not provide an adequate level of protection , Sodexo will also implement adequate safeguards. In particular, Sodexo will rely on appropriate legal mechanisms, including standard contractual clauses, to secure such transfer, in compliance with local data protection law of your country applicable to You. If You want to access a copy of the relevant standard contractual clauses, please send an email to the Global Data Protection Office at the following email address dpo.group@sodexo.com.
  • We may also disclose your Personal data to recipients among the Sodexo group entities for the purposes set forth herein. In this context, we only proceed to such disclosure provided that your Personal data is solely disclosed to the relevant Sodexo group entities on a need-to-know basis with respect to the aforementioned purposes. 
  • Certain recipients of these disclosures among the Sodexo group entities may be located in foreign countries, some for which data protection laws may not provide a level of protection equivalent to the local law of your country applicable to You. If Sodexo discloses your Personal data to such recipients, we will establish and/or confirm that, prior to receiving any of your Personal data, they will provide an adequate level of protection for your Personal data including appropriate technical and organizational security measures. Sodexo will also implement appropriate safeguards, including standard contractual clauses, to secure such transfer, in compliance with the local law of your country applicable to You. If You want to access a copy of the standard contractual clauses, please send an email to the Global Data Protection Office at the following email address dpo.group@sodexo.com.

How will your Personal data be protected?

  • We implement appropriate technical and organizational measures to protect Personal data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with our Group Information & Systems Security Policy. 
  • We take, when appropriate, all reasonable measures based on privacy by design and privacy by default principles to implement the necessary safeguards and protect the Personal data processing. We also carry out, depending on the level of risk raised by the processing, a privacy impact assessment to adopt appropriate safeguards and ensure the protection of the Personal data. We also provide additional security safeguards for data considered to be sensitive Personal data.

How can You access your Personal data?

  • Sodexo is committed to ensure protection of your rights under applicable laws. You will find below a table summarizing your different rights where applicable (without this list being exhaustive):  

Right of access  

You can request access to your Personal data. You may also request rectification of inaccurate Personal data, or to have incomplete Personal data completed. 
You can request any available information as to the source of the Personal data, and You may also request a copy of your Personal data being processed by Sodexo.

Right to be forgotten

Your right to be forgotten entitles You to request the erasure of your Personal data in cases where:
(i)  the data is no longer necessary in relation for the purposes of its collection or processing;
(ii)  You choose to withdraw your consent;
(iii)  You object to the processing by automated means using technical specifications; 
(iv)  your Personal data has been unlawfully processed;
(v)  there is a legal obligation to erase your Personal data;
(vi)  erasure is required to ensure compliance with applicable laws.

Right to restriction of processing

You may request the restriction of processing in the cases where:
(i)  You contest the accuracy of the Personal data;
(ii)  Sodexo no longer needs the Personal data, for the purposes of the processing;
(iii)  You have objected to processing for legitimate reasons.

Right to data portability 

You can request, where applicable, the portability of your Personal data that You have provided to Sodexo, in a structured, commonly used, and machine-readable format. You have the right to transmit this data to another controller without hindrance from Sodexo where:
a)  the processing of your Personal data is based on consent or on a contract; and
b)  the processing is carried out by automated means.
You can also request to transmit directly your Personal data to a third party of your choice (where technically feasible). 

Right not to be subject to automated decisions  

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You.
Right to lodge a complaint to the competent supervisory authority   If You have a privacy-related complaint against us, You may complete and submit the Request/Complaint Form or make your complaint with the competent supervisory authority or the competent court where the Sodexo entity has an establishment or where you have your habitual residence. 

To exercise these rights, You can

  • send your request or complaint by sending an email to the Group SM team at the following email address :suppliersea.amecaa@sodexo.com, your local data protection single point of contact at dpo.sg.apac@sodexo.com or the Group Data Protection Officer at the following email address dpo.group@sodexo.com
  • use the online request web form: This electronic system allows You to log in and see the progress of your request, see and send messages and review your documents securely. This system is called “One Trust” and after making the request You will be sent details about how to log on. 

How long will your Personal data be held? 

Generally, the SM Services will retain your Personal data for 7 years after the last contact with You for the relevant purposes described in this Policy. This may be different from country to country dependent upon local law in Singapore, Malaysia, Thailand, Indonesia, Vietnam, or Philippines, whichever is applicable to the Sodexo local entity, and may be affected by specific regulatory or legal obligations for particular regulations.

How will You be notified if the uses of your data change?

  • If the uses of your Personal data in the SM Services significantly change, we will issue a new Policy and/or take other steps to notify You beforehand of such changes so that You may review them and check whether they are acceptable (to the extent necessary) to You. 

Who is your local system administrator?

  • If You require further information about this Policy, please contact your local data protection single point of contact at dpo.sg.apac@sodexo.com or the Group Data Protection Officer at dpo.group@sodexo.com
  • If You require further information about the SM Services, please contact the Group SM team at suppliersea.amecaa@sodexo.com 

Last update: 2 August 2021