Online Data Protection Policy

Your privacy is very important to us. We have developed this Philippines Data Protection Policy in order for you to understand how we collect, use, store, share, transmit, transfer, delete or otherwise process (collectively “process”) your Personal Information. This Philippines Data Protection Policy describes the measures we take to ensure the protection of your Personal Information. We also tell you how you can reach us to answer any questions you may have about data protection.

SCOPE

The Philippines Data Protection Policy applies to Sodexo On-Site Services Philippines, Inc. (hereinafter designated as “Sodexo”) for all dimensions and activities, where the Data Privacy Act of 2012 and associated regulations apply (collectively, “Philippines Data Protection Laws”).

This policy applies to the Processing of Personal Information collected by Sodexo, directly or indirectly, from all individuals including, but not limited to Sodexo’s current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties, with “Personal Information” being defined as any data that relates to an identified or identifiable individual or a person who may be identified by means reasonably likely to be used.

In this Policy, “you” and “your” means any covered individual. “We”, “us”, “our” and “Sodexo” means the Sodexo entity in Philippines, namely Sodexo On-Site Services Philippines, Inc.

COLLECTION AND PROCESSING USE OF YOUR PERSONAL INFORMATION

COMPLIANCE WITH PHILIPPINES DATA PROTECTION LAWS AND ANY ADDITIONAL APPLICABLE DATA PROTECTION LOCAL LAW

We are committed to complying with any applicable legislation relating to Personal Information and we shall ensure that Personal Information is collected and processed in accordance with provisions of the Philippines Data Protection Laws and other applicable local law, if any.

LAWFULNESS, FAIRNESS AND TRANSPARENCY

We do not collect or process Personal Information without having a lawful reason to do so. We may have to collect and process your Personal Information where necessary for the performance of a contract to which you are party, or when it is necessary for compliance with a legal obligation to which we are subject or where required, with your prior consent. We may also collect and process your Personal Information for Sodexo’s legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms.

When collecting and processing your Personal Information, we will provide you with a fair and full information notice or privacy statement about who is responsible for the processing of your Personal Information, for what purposes your Personal Information are processed, who the recipients are, what your rights are and how to exercise them, etc., unless it is impossible or it requires disproportionate efforts to do so.

When required by applicable law, we will seek your prior consent (e.g. before collecting any Sensitive Personal Information).

LEGITIMATE PURPOSE, LIMITATION AND DATA MINIMIZATION

Your Personal Information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

When Sodexo acts for its own purposes, your Personal Information is processed mainly for, but not limited to, the following purposes: recruitment management, human resources management, accounting and financial management and related controls and reporting, finance, treasury and tax management, risk management, management of employees’ safety, provision of active directory, IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management , including infrastructure management, systems management, applications, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering obligations or any other legal requirements, data analytics operations, legal corporate management and implementation of compliance processes.

DATA ACCURACY AND STORAGE LIMITATION

Sodexo will keep Personal Information that is processed accurate and, where necessary, up to date. Also, we will only retain Personal Information for as long as necessary for the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements and, where required, for Sodexo to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled, whichever is the later. If you want to learn more about our specific retention periods for your Personal Information established in our retention policy you may contact us at dpo.ph@sodexo.com.

Upon expiry of the applicable retention period we will securely destroy your Personal Information in accordance with applicable laws and regulations.

SECURITY OF YOUR PERSONAL INFORMATION

We implement appropriate technical and organizational measures to protect Personal Information against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with our group information and systems security policy.

We take, when appropriate, all reasonable measures based on Privacy by design and Privacy by default principles to implement the necessary safeguards and protect the Processing of Personal Information. We will also carry out, depending on the level of risk raised by the processing, a Privacy impact assessment (“PIA”) to adopt appropriate safeguards and ensure the protection of the Personal Information. We also provide additional security safeguards for data considered to be Sensitive Personal Information.

DISCLOSURE OF YOUR PERSONAL INFORMATION

We share your Personal Information, in the following circumstances:

with Sodexo entities for the purposes described in this policy;
with third parties including certain service providers we have retained in connection with the purposes described in this policy and the services we provide;
with companies providing services for money laundering and terrorist financing checks and other fraud and crime prevention purposes and companies providing similar services, including financial institutions and regulatory bodies with whom such Personal Information is shared;
with courts, law enforcement authorities, regulators, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;
with service providers who we engage within or outside of Sodexo, domestically or abroad, e.g. shared service centres, to process Personal Information for any of the purposes listed above on our behalf and in accordance with our instructions only;
if we sell or buy any business or assets, in which case we may disclose your Personal Information to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.

INTERNATIONAL PERSONAL INFORMATION TRANSFERS

Philippines Data Protection Laws do not allow the transfer of Personal Information to other countries that do not ensure an adequate level of data protection. Some of the third countries in which Sodexo operates do not provide the same level of data protection as Philippines.

For transfers of your Personal Information to such countries, either to entities within or outside Sodexo, Sodexo has put in place an adequate safeguard to protect your Personal Information. You will be provided with more information about any transfer of your Personal Information outside of Philippines at the time of the collection of your Personal Information through appropriate privacy statements.

For further information, including obtaining a copy of the documents used to protect your information, please contact us at dpo.ph@sodexo.com.

COOKIES

Some of our websites may use “cookies.” Cookies are portions of text that are placed on your computer’s hard drive when you visit certain websites. We may use cookies to tell us, for example, whether you have visited us before or if you are a new visitor and to help us identify features in which you may have the greatest interest. Cookies may enhance your online experience by saving your preferences while you are visiting a website.

We will let you know when you visit our websites what types of cookies we use and how to disable such cookies. When required by law, you will have the ability to visit our websites and refuse the use of cookies at any time on your computer. For more details, please consult our Cookies Policy here: https://ph.sodexo.com/terms-and-conditions/cookie-policy.html

YOUR RIGHTS

Sodexo is committed to ensure protection of your rights under applicable laws. You will find below a table summarizing your different rights:

Right of access and rectification

You can request a copy of the Personal Information we hold about you. You may also request rectification of inaccurate Personal Information, or to have incomplete Personal Information completed.

Right of access and rectification	You can request a copy of the Personal Information we hold about you. You may also request rectification of inaccurate Personal Information, or to have incomplete Personal Information completed.
Right to erasure	Your right to be forgotten entitles you to request the erasure of your Personal Information in cases where: the data is no longer necessary for the purpose for which it was collected; you choose to withdraw your consent; you object to the processing of your Personal Information; your Personal Information has been unlawfully processed; there is a legal obligation to erase your Personal Information; erasure is required to ensure compliance with applicable laws
Right to restriction of processing	You may request that processing of your Personal Information be restricted in the cases where: you contest the accuracy of your Personal Information; Sodexo no longer needs your Personal Information for the purposes of the processing; you have objected to processing for legitimate reasons.
Right to data portability	You can request, where applicable, the portability of your Personal Information that you have provided to Sodexo, in a structured, commonly used, and machine-readable format you have the right to transmit this data to another Personal Information Controller without hindrance from Sodexo where: the processing of your Personal Information is based on consent or on a contract; and the processing is carried out by automated means You can also request that your Personal Information be transmitted to a third party of your choice (where technically feasible).
Right to object to processing	You may object (i.e. exercise your right to “opt-out”) to the processing of your Personal Information particularly in relation to profiling or to marketing communications. When we process your Personal Information on the basis of your consent, you can withdraw your consent at any time.
Right not to be subject to automated decisions	You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal affect upon you or significantly affects you.
Right to lodge a Complaint	You can choose to lodge a Complaint with the Data Protection Supervisory Authority in the Philippines if (i) you have suffered a data privacy violation or Personal Information breach; or (ii) you are personally affected by a violation of the Data Privacy Act of 2012.

You may, at any time, exercise any of the above rights or contact us with any data protection related queries or concerns:

by completing the request form and send it to the generic email address as indicated in the privacy notices and/or the privacy policies provided to you at the time of the collection of your Personal Information.

For more details, consult the Philippines Data Protection Rights Management Policy.

CHILDREN

Children merit specific protection with regard to their Personal Information, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the Processing of Personal Information. Such specific protection should, in particular, apply to the use of Personal Information of children for the purposes of marketing or creating personality or user profiles and the collection of Personal Information with regard to children when using services offered directly to a child. We do not collect and process Children’s Personal Information without the consent of the holder of parental responsibility where required. In particular, we do not promote or market our services to children, except for specific services and upon the consent of the holder of parental responsibility. If you believe that we have mistakenly collected a child’s Personal Information, please notify us using the contact details provided below.

UPDATE

We may update this policy from time to time as our business changes or legal requirements change. If we make any significant changes to this policy, we will post a notice on our website when the changes go into effect, and where appropriate, send a direct communication to you about the change.

CONTACT US

If you have questions, comments and requests regarding this policy you can address them to your Local Single Data Protection Point of Contact at dpo.ph@sodexo.com.

Definitions
Complaint means the complaint lodged by a Data subject with the Data Protection Supervisory Authority.

Personal Information Controller means the entity that determines the purposes and means of the Personal Information processing.

Data Protection Supervisory Authority means the National Privacy Commission in the Philippines.

Local Single Data Protection Point of Contact means the person appointed by a Sodexo entity, in charge of handling local data privacy issues. This point of contact is part of the Global Data Protection Network.

Personal Information means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing or Processing of Personal Information means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Privacy by design means that where a new digital project or a new business opportunity is initiated, involving Processing of Personal Information, data protection shall be taken into account, both at the time of the definition of the means and the related appropriate technical and organizational security measures for the Processing and at the time of the implementation of Processing itself. The same principle applies where Sodexo intends to merge with or acquire a company, it shall make sure that data protection principles are respected.

Privacy by default means that personnel should be trained to handle Personal Information and implement procedures to ensure that each time Personal Information is processed, appropriate technical and organizational measures are taken for ensuring that, by default, only Personal Information which is necessary for each specific purpose is processed (in terms of amount of data processed, extent of the processing and data retention) and is made accessible only to a limited number of persons who need to know.

Sensitive Personal Information means any Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. This definition includes also Personal Information relating to criminal convictions and offences.

Sodexo entity or Sodexo entities means any corporation, partnership or other entity or organization which is admitted from time to time as member of the Sodexo Group.