Purpose of this Policy
The following information is provided to you to inform you of Sodexo Pass International commitments in terms of personal data protection.
Sodexo Pass International builds strong, lasting relationships with its customers, partners and consumers based on mutual trust: making sure that their personal data is safe and remains confidential is an absolute priority for Sodexo Pass International.
Sodexo Pass International is committed to comply with all applicable regulatory and legal provisions governing the protection of personal data.
- Users remain in control of their own data. The data is processed in a transparent, confidential and secure manner.
- Sodexo Pass International is committed to a continuing quest to protect its users’ Personal data in accordance with the General Data Protection Regulation of April 27, 2016 (GDPR).
- Sodexo Pass International has a data protection officer, that you can contact is case of question.
Please read the Policy carefully to familiarize yourself with the categories of personal data that are subject to collection and processing, how we use this personal data and with whom we are likely to share it. This policy also describes your rights and how you can get in touch with us to exercise these rights or to ask us any questions you might have concerning the protection of your personal data.
This policy may be amended, supplemented or updated, in particular to comply with any legal, regulatory, case law or technical developments that may arise. However, your personal data will always be processed in accordance with the policy in force at the time of the data collection, unless a compulsory legal prescription determines otherwise and must be enforced retroactively.
Identity and contact details of the Controller
The Data Controller is:
Sodexo Pass International,
A Société Anonyme with a capital of
Registered office: 255, quai de la Bataille de Stalingrad - 92130, Issy-les-Moulineaux - FRANCE
Trade register: XXXX RCS Nanterre
- “Controller”: Sodexo Pass International which determines the purposes and means of the processing of your personal data on the Site.
- “Personal data”: Means any information relating to an identified natural person or one that can be directly or indirectly identified by reference to an identification number or to one or more factors specific to this person.
- “Processing”: Any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- "Processor: A legal person which processes personal data on behalf of the Controller.
- “us” “we” or “our”: Sodexo Pass International acting as controller
- “you” or “Users”: Any Site user/visitor.
How will your Personal data be collected? Is it mandatory that you or others provide your Personal data?
We may collect your personal data in the ways listed below:
- Collection of your Personal data directly from you, such as when you complete forms on our Sites ; and
- Collection of your Personal data indirectly during your navigation on the Site or via our services providers and/or technologies on our Sites.
We will collect your personal data on a mandatory basis where this is required by applicable local laws or where this is necessary for the performance of the Services on the Site.
If we are unable to collect this mandatory of personal data items, we will not be able to manage your access to the Site.
For which purposes and on which legal basis will your Personal data be collected and processed? What Personal data does Sodexo Pass International hold?
We may process, use and disclose your Personal data for certain purposes detailed below connected to your use of the Site.
We will collect and process your Personal data as detailed below (without this list being exhaustive) where necessary to provide you an access to the Site, or when it is necessary for compliance with a legal obligation to which we are subject. We will also collect and process your personal data for Sodexo Pass International’s legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms. Where legitimate interests do not apply as a lawful basis of processing of personal data under the applicable data protection laws, the prior explicit consent will be alternatively collected if required by law.
- Data Processing Activities:
- Site navigation
- Personalization of the Site and Enhancement of the experience
- Compliance to Legal Obligations
- Categories of Personal data:
- IP address
- Statistical data
- Identification Data (name, surname, image - if you provided it)
- Technical data (time and date of connection, meta data)
- Legal basis:
- Legitimate Interest
- Legal Obligation
To whom will your Personal data be disclosed?
Sodexo Pass International works with several distributing entities under the brand Pluxe.
There is a possibility of transfers within ou outisde of the Pluxee group.
- Within Pluxee: The security and confidentiality of your Personal data is of great importance to us. This is why we restrict access to your Personal data only to members of our staff only to the extent strictly necessary to process your Personal data or to provide the services necessary for the Site. We ensure that the persons authorized to process the Personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
European data protection law does not allow the transfer of personal data to third countries outside European Economic Area (‘EEA’) that do not ensure an adequate level of data protection. Some of the third countries in which Pluxee entities operate are located outside of the EEA and do not provide the same level of data protection as the country in which you reside and are not recognized by the European Commission as providing an adequate level of protection for individuals’ data privacy rights. For those transfers, Sodexo Pass International has implemented the appropriate safeguards in accordance with the relevant Data Protection laws and rules.
Outside of Pluxee: We will not disclose your Personal data to any unauthorized third parties. We may, however, share your Personal data with authorized service providers (for example: technical service providers [hosting, maintenance], consultants, etc.) whom we may call upon for the purpose listed above in compliance with the applicable data protection laws.
All third-party service providers to whom we have disclosed and transferred your personal data has been engaged under a binding confidentiality and data processing agreement with Sodexo Pass International or its entities, whereby said third party may act only upon the instruction of Sodexo Pass International or its entities.
This third-party service provider and/or other contractors, as the case may be, may be located in countries (e.g., United States, United Kingdom), which data protection laws may not provide a level of protection equivalent to European law (it being specified the European Commission has recognized the United Kingdom as providing adequate protection). If Sodexo Pass International or its entities disclose your personal data to such recipients, which shall be only for disaster recovery purposes or for the purpose of providing assistance on our request, we will establish and/or confirm that, prior to receiving any of your personal data, they will provide an adequate level of protection for your personal data including appropriate technical and organizational security measures. In particular, if the recipients concerned are located in a country that does not provide an adequate level of protection (as this is the case in the United States), Sodexo Pass International or its entities will also implement other appropriate measures, including standard contractual clauses, to secure such transfer, in compliance with French law. If you want to access a copy of the relevant documentation, please send an email to firstname.lastname@example.org.
Furthermore, we may share your Personal data (i) if the law or a legal procedure requires us to do so, (ii) in response to a request by public authorities or other officials or (iii) if we are of the opinion that transferring these data is necessary or appropriate to prevent any physical harm or financial loss or in respect of an investigation concerning a suspected or proven unlawful activity.
How long will your Personal data be held?
We will store your Personal data only for as long as necessary to fulfill the purposes for which it was collected and processed, as listed above. This period may be extended, if applicable, for any amount of time prescribed by any legal or regulatory provisions that may apply.
Cookies will only be kept for a maximum of 13 months in order to fulfill their purposes.
The data related to your use of the Site, will be kept for as long as necessary for the processing.
Finally, please note that we may anonymize your personal data in such a way that you can no longer be identified and continue to use it for statistical purposes. Data used for statistical purposes is no longer classified as personal data once it has been duly anonymized.
Sensitive Personal data
As a general rule, we do not collect sensitive Personal data via our Site. “Sensitive Personal data” refers to any information concerning a person’s racial or ethnic origins, political opinions, religious or philosophical beliefs, union membership, health data or data relating to the sexual life or the sexual orientation of a natural person. This definition also includes personal data relating to criminal convictions and offenses.
In the event that it would be strictly necessary to collect such data to achieve the purpose for which the processing is performed, we will do so in accordance with local legal requirements for the protection of Personal data and, in particular, with your explicit prior consent and under the conditions described in this policy.
Your Privacy Rights
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes by updating your account on the Site.
Sodexo Pass International is committed to ensure protection of your privacy rights under applicable laws. You will find below a table summarizing your privacy rights under the applicable data protection law which applies to all personal data is processed on the Site.
- Right of access and rectification: You can request a copy of the Personal data we hold about you. You may also request rectification of inaccurate Personal data, or to have incomplete Personal data completed.
- Right to erasure: Your right to be forgotten entitles you to request the erasure of your Personal data in cases where:
- the data is no longer necessary for the purpose for which it was collected;
- you choose to withdraw your consent;
- you object to the processing of your Personal data;
- your Personal data has been unlawfully processed;
- there is a legal obligation to erase your Personal data;
- erasure is required to ensure compliance with applicable laws.
- Right to restriction of Processing: You may request that processing of your Personal data be restricted in the cases where:
- you contest the accuracy of your Personal data;
- we no longer needs your Personal data for the purposes of the processing;
- you have objected to processing for legitimate reasons.
- the processing of your Personal data is unlawful and you prefer the restriction of their use instead of their deletion
- Right to data portability: You can request, where applicable, the portability of your Personal data that you have provided to us, in a structured, commonly used, and machine-readable format you have the right to transmit this data to another Controller without hindrance from us where:
- the processing of your Personal data is based on consent or on a contract; and
- the processing is carried out by automated means.
You can also request that your Personal data be transmitted to a third party of your choice (where technically feasible).
- Right to object to Processing: You may object (i.e., exercise your right to “opt-out”) to the processing of your Personal data particularly in relation to profiling or to marketing communications. When we process your Personal data on the basis of your consent, you can withdraw your consent at any time.
- Right not to be subject to automated decisions: You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal affect upon you or significantly affects you.
- Right to lodge a Complaint: You can choose to lodge a Complaint with the French Supervisory Authority (the Cnil: https://www.cnil.fr/.
You have also the right to lodge your Complaint before the French courts or where you have your habitual residence.
- Right to define post-mortem directives: In accordance with the French Data Protection Act, you have the possibility to define directives relating to the conservation, deletion and communication of your Personal data after your death. These directives can be registered with a trusted digital third party, certified by the Cnil and responsible for enforcing your wishes in accordance with the requirements of the applicable regulations on the protection of Personal data.
To exercise these rights, you can complete and submit your request with the dedicated Request form by email to email@example.com.
You can also raise queries or complaints to the data protection officer, by email to firstname.lastname@example.org or by post to Sodexo Pass International 255 Quai de la Bataille de Stalingrad, 92130 Issy-les-Moulineaux, France .
No fee usually required.
You will not have to pay a fee to access your Personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal data is not disclosed to any person who has no right to receive it.
How will my Personal data be protected?
We implement all possible technical and organizational security measures to ensure security and confidentiality in processing your Personal data.
To this end, we take all necessary precautions given the nature of the Personal data and the risks related to its processing, in order to maintain data security and in particular to prevent distortion, damage or unauthorized third-party access (physical protection of the premises, authentication procedures with personal, secured access via identifiers and confidential passwords, a connection log, encryption of certain data, etc.).
In addition, if we contract with Processors for all or part of the Processing of your Personal data, we require a contractual agreement from our service providers to guarantee the security and confidentiality of the Personal data that we transmit to them or that they collect on our behalf, in accordance with the applicable regulations on the protection of Personal data.
We regularly conduct audits to verify the proper operational application of the rules relating to the security of your Personal data.
Nevertheless, you also have a responsibility to ensure the security and confidentiality of your Personal data so we invite you to remain vigilant, especially when using an open system such as the Internet.
Links to other sites/platforms
How will you be notified if the uses of your Personal data change?
We may update or amend this policy as and when needed. In this case, amendments will only become applicable after a period of 30 business days from the date of the amendment. Please consult this page from time to time if you want to be informed of any possible changes.
If you have any questions or comments with regard to this policy, please do not hesitate to contact us at the following address email@example.com.