India Data Protection Statement

Your privacy is very important to us. We (i.e. Sodexo India Services Private Limited) have developed this India Data Protection Statement in order for you to understand how and why we collect, use, store, share, transmit, transfer, delete or otherwise process (collectively “process”) your Personal Data. This Statement further describes the measures we take to ensure the protection of your Personal Data. We also tell you how you can reach us to answer any questions or requests you may have about data protection.

What is the scope of this Data Protection Statement?

Territorial Scope

This Statement applies to the activities carried out by Sodexo India Services Private Limited, in India, where we operate under the brand name “Sodexo” (hereinafter referred to as “Sodexo”).

Material Scope

This Statement applies to the Processing of Personal Data by Sodexo India Services Private Limited (Sodexo India), acting as Data Controller. Personal Data is directly or indirectly collected by Sodexo India, from all individuals, including, but not limited to, Sodexo India’s current, past, or prospective job applicants, employees, clients, consumers,  affiliates, suppliers, contractors, shareholders, or any third parties with “Personal Data” being defined as “any data that relates to an identified or identifiable individual or a person who may be identified by means reasonably likely to be used”.

This document is general in scope and may be supplemented by more specific privacy policies or notices.

Definitions

“Controller” Sodexo India Services Private Limited which determines the purposes and means of the Processing of your Personal data on the website.

“Personal Data” means any data/information relating to an identified or identifiable natural person/ individual; an identifiable natural person/ individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person/ individual.;

“Processing” in relation to Personal Data means a wholly or partly automated operation or set of operations, performed on digital Personal Data and includes operations such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination, or otherwise making available, restriction, erasure, deletion or destruction.

“Processor” natural or legal person, public authority, agency or other body which processes Personal data on behalf of the Controller,

“Sensitive Personal Data or Information” as defined under Section 3 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and reads as follows:

“Sensitive personal data or information of a person" means such personal information which consists of information relating to;—

  • (i) password;
  • (ii) financial information such as Bank account or credit card or debit card or other payment instrument details;
  • (iii) physical, physiological and mental health condition;
  • (iv) sexual orientation;
  • (v) medical records and history;
  • (vi) Biometric information;
  • (vii) any detail relating to the above clauses as provided to body corporate for providing service; and
  • (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules."

“Sodexo entity or Sodexo entities” means any corporation, partnership or other entity or organization which is admitted from time to time as member of the Sodexo Group.

“Supervisory Authority” means the supervisory authority in India as stated in the applicable laws in relation to protection of Personal Data.

“us” “we” or “our” Sodexo India Services Private Limited acting as Controller.

“you”  Any site user/visitor or beneficiary of the services of Sodexo India Services Private Limited.

How will your Personal Data be collected and processed?

Compliance with the Indian data protection law and any additional applicable data protection local law

We are committed to complying with any applicable legislation relating to Personal Data and we shall ensure that Personal Data is collected and processed in accordance with provisions of the Indian data protection law and other applicable local law, if any.

On which legal basis is your personal data being processed?

We do not collect or process Personal Data without having a lawful reason to do so. We may have to collect and process your Personal Data where necessary for the performance of a contract to which you are party, or when it is necessary for compliance with a legal obligation to which we are subject or in any other case, where required, with your prior consent. We may also collect and process your Personal Data for Sodexo India’s legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms.

When collecting and Processing your Personal Data, we will provide you with a fair and full information notice or privacy statement about who is responsible for the Processing of your Personal Data, for what purposes your Personal Data is being processed, who the recipients are, what your rights are and how you can exercise them, etc., unless it is impossible, or it requires disproportionate efforts to do so.

When required by applicable law, we will seek your prior consent (e.g. before collecting any Sensitive Personal Data).

What is the purpose of the processing of your personal data?

Your Personal Data is collected for specified, explicit and legitimate purposes, in a manner compliant with the applicable laws, and not further processed in a manner that is incompatible with those purposes or the law.

Your Personal data may be processed mainly for, but not limited to, the following purposes:

  • recruitment management and human resources management,
  • accounting and financial management and related controls and reporting,
  • finance, treasury and tax management, risk management, management of employees’ safety,
  • provision of active directory, multi-factor authentication
  • IT tools or internal websites and any other digital solutions or collaborative platforms,
  • IT support management, including infrastructure management, systems management, applications,
  • management of CCTV
  • provision of digital identities and safety environment,
  • health and safety management,
  • information security management,
  • client relationship management,
  • bids, sales and marketing management,
  • supply management,
  • internal and external communication and events management,
  • ensuring security of assets and premises, client relationship management including billing and payment, customer service,
  • compliance with anti-money laundering obligations or any other legal requirements,
  • data analytics operations,
  • management of public affairs and CSR (“Corporate Social Responsibility”) legal corporate management and implementation of compliance processes.

Additional description of the Processing of Personal Data performed by Sodexo India Services Private Limited is provided in the Privacy Policies available on our specific applications.

How long do we keep your personal data?

Sodexo India will keep the Personal Data that has been collected and processed accurately and, where necessary, up to date.  We retain the Personal Data for as long as is necessary to fulfil the purpose for which it is collected. The Personal Data collected and Processed may also be stored for the purposes of satisfying any legal, accounting or reporting requirements and, where required for us to assert or defend any legal claims, until the end of the relevant retention period or until the claims in question have been settled. If you want to learn more about our specific retention periods for your Personal Data established in our retention policy, you may contact us at dpo.oss.in.apac@sodexo.com .

Upon expiry of the applicable retention period, we will securely delete and destroy records of your personal data in accordance with applicable laws and regulations.

How do we keep your Personal Data safe and confidential?

We implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful alteration or loss, or from unauthorized use, disclosure or access, in accordance with our Group Information and Systems Security Policy.

We take, when appropriate, all reasonable measures based on privacy by design and privacy by default principles to implement the necessary safeguards and protect the Processing of Personal Data. We also carry out, depending on the level of risk raised by the processing, a Privacy Impact Assessment (“PIA”) to adopt appropriate safeguards and ensure the protection of the Personal Data. We also provide additional security safeguards for data considered to be Sensitive Personal Data.

Who may have access to your personal data?

We share your Personal Data, in the following circumstances:

  • with entities working within Sodexo Group, under the name “Sodexo”,
  • with third parties including certain service providers we have retained in connection with the purposes described in this policy and the services we provide;
  • with companies providing money laundering and terrorist financing checks and with companies working on fraud and crime prevention, and other similar services, including financial institutions and regulatory bodies with whom such Personal Data is shared;
  • with courts, law enforcement authorities, regulators, Supervisory Authority, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;
  • with service providers who we engage within or outside of Sodexo India, domestically or abroad, e.g. shared service centres, to process Personal Data for any of the purposes listed above on our behalf and in accordance with our instructions only;
  • if we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.

International personal data transfers

For the safety and protection of your personal data being transferred to other countries or to other entities, we have implemented adequate safeguards. For this purpose, we have implemented the Sodexo Binding Corporate Rules (BCR) within the Sodexo Group. Through these Rules, even if the third countries in which the Sodexo Group operates, are located outside of the European Economic Area, your Personal data is still protected in the same way it would have been by any entity located within the European Economic Area.

For further information, including obtaining a copy of the documents used to protect your information, please contact us at dpo.oss.in.apac@sodexo.com.

Sensitive Personal data or Information

As a general rule, we do not collect Sensitive Personal data or Information via our site to provide our services.

In the event that it would be strictly necessary to collect such data for processing purposes, we will do so in accordance with local legal requirements for the protection of Personal data (and Sensitive Personal Data and Information) and, in particular, with your prior explicit consent.

Personal Information and Children

Our sites and services are provided for adults who have the capacity to conclude a contract under the applicable legislation of India. For the provision of the services, we might process Personal data of children, but it is always done with the consent of their legal guardian.

Your privacy rights

It is important that the Personal Data we hold about you is accurate and up to date.

Sodexo India is committed to ensuring protection of your privacy rights under applicable laws. You will find below a table summarizing your privacy rights under the applicable data protection law, which applies to all Personal data processed on the site.

Data Protection right

Description of the right

Right of access and rectification

You can request a copy of the Personal data we hold about you. You may also request the rectification of inaccurate Personal data, or to have incomplete Personal data completed.

Right to erasure

Your right to be forgotten entitles you to request the erasure of your Personal data in compliance with the applicable law

Right to object to Processing

You may object (i.e., exercise your right to “opt-out”) to the Processing of your Personal data particularly in relation to profiling or to marketing communications. When we process your Personal data on the basis of your consent, you can withdraw your consent at any time.

Right to lodge a complaint

You can choose to lodge a complaint with the data protection authority in India. You can also lodge a complaint with the courts in India.

To exercise these rights, you can:

Raise queries or complaints with the local Data Protection Single Point of Contact by email to dpo.oss.in.apac@sodexo.com or by post to Data Protection SPOC, Sodexo India Services Private Limited, 1st Floor, Gemstar Commercial Complex, Ramchandra Lane Extension, Kanchpada, Malad (West), Mumbai – 400064

No fee usually required

You will not have to pay a fee to access your Personal data (or to exercise any of the other rights).

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.

For more details, please consult the India Data Protection Rights Management Policy.

Update

We may update this Statement from time to time as our business changes or legal requirements change. If we make any significant changes to this Statement, we will post a notice on our website before the changes go into effect.

If you have any questions or comments with regard to this policy, please do not hesitate to contact us at the following address: dpo.oss.in.apac@sodexo.com

Last update: 18th April, 2025