Your privacy is very important to us. We have developed this Data Protection Policy in order for you to understand how we collect, use, store, share, transmit, transfer, delete or otherwise process (collectively “process”) your Personal data. This Data Protection Policy describes the measures we take to ensure the protection of your Personal data. We also tell you how you can reach us to answer any questions you may have about data protection.

SCOPE

The Data Protection Policy applies to Sodexo Cyprus Ltd (hereinafter designated as “Sodexo”) for all dimensions and activities in the Cyprus region. This policy applies to the Processing of Personal data collected by Sodexo, directly or indirectly, from all individuals including, but not limited to Sodexo’s current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties, with “Personal data” being defined as any data that relates to an identified or identifiable individual or a person who may be identified by means reasonably likely to be used. In this Policy, “you” and “your” means any covered individual. “We”, “us”, “our” and “Sodexo” means the Sodexo Cyprus Ltd.

COLLECTION AND PROCESSING USE OF YOUR PERSONAL DATA

LAWFULNESS, FAIRNESS AND TRANSPARENCY

We do not collect or process Personal data without having a lawful reason to do so. We may have to collect and process your Personal data where necessary for the performance of a contract to which you are party, or when it is necessary for compliance with a legal obligation to which we are subject or where required, with your prior consent. We may also collect and process your Personal data for Sodexo’s legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms.

When collecting and processing your Personal data, we will provide you with a fair and full information notice or privacy statement about who is responsible for the processing of your Personal data, for what purposes your Personal data are processed, who the recipients are, what your rights are and how to exercise them, etc., unless it is impossible, or it requires disproportionate efforts to do so. When required by applicable law, we will seek your prior consent (e.g. before collecting any Sensitive Personal data).

LEGITIMATE PURPOSE, LIMITATION AND DATA MINIMISATION

Your Personal Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. When Sodexo acts for its own purposes, your Personal Data is processed mainly for, but not limited to, the following purposes: recruitment management, human resources management, accounting and financial management and related controls and reporting, finance, treasury and tax management, risk management, management of employees’ safety, provision of active directory, IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management , including infrastructure management, systems management, applications, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering obligations or any other legal requirements, data analytics operations, legal corporate management and implementation of compliance processes.

DATA ACCURACY AND STORAGE LIMITATION

Sodexo will keep Personal Data that is processed accurate and, where necessary, up to date. Also, we will only retain Personal Data for as long as necessary for the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements and, where required for Sodexo to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled.

If you want to learn more about our specific retention periods for your Personal Data established in our retention policy you may contact us at dpo.cyprus@sodexo.com

Upon expiry of the applicable retention period we will securely destroy your personal data in accordance with applicable laws and regulations.

SECURITY OF YOUR PERSONAL DATA

DISCLOSURE OF YOUR PERSONAL DATA

We share your Personal Data, in the following circumstances:

• with our entities (subsidiaries and/or affiliates) for the purposes described in this policy;
• with third parties including certain service providers we have retained in connection with the purposes described in this policy and the services we provide;
• with companies providing services for money laundering and terrorist financing checksand other fraud and crime prevention purposes and companies providing similar services, including financial institutionsand regulatory bodies with whom such Personal Data is shared;
• with courts, law enforcement authorities, regulators, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;
• with service providers who we engage within or outside of Sodexo, domestically or abroad, e.g. shared service centres, to process Personal Data for any of the purposes listed above on our behalf and in accordance with our instructions only;
• if we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.

INTERNATIONAL PERSONAL DATA TRANSFERS

European data protection law does not allow the transfer of Personal Data to third countries outside EEA that do not ensure an adequate level of data protection. Some of the third countries in which Sodexo operates outside EEA do not provide the same level of data protection as the country in which you reside and are not recognized by the European Commission as providing an adequate level of protection for individuals’ data privacy rights.

For transfers of your Personal Data to such countries, either to entities within or outside Sodexo, Sodexo has put in place an adequate safeguard to protect your Personal Data. You will be provided with more information about any transfer of your Personal Data outside of Europe at the time of the collection of your Personal Data through appropriate privacy statements.

For further information, including obtaining a copy of the documents used to protect your information, please contact us at dpo.cyprus@sodexo.com

COOKIES

Some of our websites may use “cookies.” Cookies are portions of text that are placed on your computer’s hard drive when you visit certain websites. We may use cookies to tell us, for example, whether you have visited us before or if you are a new visitor and to help us identify features in which you may have the greatest interest. Cookies may enhance your online experience by saving your preferences while you are visiting a website.

We will let you know when you visit our websites what types of cookies we use and how to disable such cookies. When required by law, you will have the ability to visit our websites and refuse the use of cookies at any time on your computer. For more details, please consult our Cookies Policy.

You can use this form to make a request. This electronic system allows you to log in and see the progress of your request, see and send messages and review your documents securely. This system is called One Trust and after making the request you will be sent details about how to log on.

Alternatively you can also send your request or complaint by sending an email to the Local Data Protection Office at the following email address: dpo.cyprus@sodexo.com

For more details, consult the Global Data Protection Requests Policy.