Ivanti HR Case Management (“Case Management tool”) is a system that helps HR teams handle and resolve questions or issues from current and former employees, candidates, contractors and other external partners. It makes it easier to track requests, such as questions about pay, benefits, leave, or company policies, which are then reviewed, followed up on, and resolved by the right Sodexo team.
This policy applies to all individuals who access, interact with, or submit requests to the Case Management tool.
Please note that when you submit a request to the designated Case Management email address, a case is created in the Case Management tool.
The following information is provided to you to inform you of Sodexo’s (hereinafter, “Sodexo” or “we”) commitments when processing Personal data.
Sodexo’s objective is to build strong, lasting relationships with everyone based on mutual trust: making sure that your Personal data is safe and remains confidential is a priority for Sodexo.
In particular, Sodexo is committed to complying with all applicable Data Protection Laws and Regulations, including with the General Data Protection Regulation of April 27, 2016 (GDPR).
Please take the time to review this privacy policy carefully to understand how your Personal data is handled within Case Management tool and to get to know your privacy rights. If you have any questions or concerns about this policy, please do not hesitate to contact the designated Local Single Data Protection Point of Contact for the Sodexo entity handling your case. If you are unsure who your Local Data Protection Point of Contact is, please reach out to your primary Sodexo point of contact - for example, your HR representative/recruiter, supervisor or contract manager - who will assist you in connecting with the appropriate Data Protection contact.
Please note that by logging into the Case Management tool, or by submitting a case via email, you acknowledge that you have read and understood this Privacy Notice and the terms specified herein.
If you are a Sodexo employee using the Case Management tool, please make sure to review your local HR Data Protection Notice to learn more about how the Sodexo entity acting as your employer processes your data.
What is a data "controller"? A controller is an entity (company) that decides “why” (the purposes) and “how” (the means) Personal data is collected and used. In particular, for the purposes of Case Management tool, the Sodexo entity that receives and processes your request or inquiry (herein referred to as the “Sodexo entity handling your case”) is the Controller for the Personal Data used for the purposes described in Section 4 below.
We may collect your Personal data in the following ways below:
We will collect your Personal data on a mandatory basis where this is required by applicable local laws or where this is necessary to provide the services and features of the Case Management tool.
If we are unable to collect these mandatory Personal data items, we will not be able to manage your access to the Case Management tool or to provide the related services and features.
|
Data Processing Activities |
Purposes |
Categories of Personal Data |
Legal Basis |
|
User Authentication and Access Management(only for Sodexo current employees) |
To enable secure login and access to the HR Case Management tool; |
|
Legitimate interest. |
|
Case Handling and Resolution |
To register, manage, and resolve HR-related cases, queries, and requests submitted; Communication between Case Specialists and the requester during the life cycle of a case. |
|
Contractual Performance
Legal Obligation |
|
Local reporting and auditing, including compliance with Sodexo policies and local regulations |
To ensure compliance with Sodexo policies and local regulations. |
|
Legitimate Interest Legal Obligation |
As a general rule, country-specific data is not transferred to other locations (e.g., as a principle, data related to Italy should only be accessible by employees in Italy). However, data transfers may still occur to other entities within the Group, as Sodexo operates in an international and decentralized manner (e.g., for complex cases or requests, escalation to the Group teams may be required).
Please be advised that we take the security and privacy of your Personal data very seriously. This is why we ensure that access to your Personal data is limited to authorized personnel on a need-to-know basis only and that all members of staff are required to keep it confidential.
When transferring Personal data to other Sodexo entities in different countries, Sodexo is committed to complying with applicable data protection laws, including with the GDPR, to ensure such transfers are lawful and secure. In particular, Sodexo has implemented the appropriate safeguards in accordance with the relevant laws and rules, such as the Sodexo Group Binding Corporate Rules (BCR), which govern the processing of Personal data within our group, ensuring that all Sodexo affiliates adhere and comply to the same high standards of data protection, including when transferring data between our entities.
For the purposes of this tool, your Personal data will be disclosed and transferred to our service providers, as well as their affiliates and third parties as deemed necessary, for the provision of operational and technical support.
All these service providers are bound by confidentiality and data processing agreements with Sodexo, which ensure that such providers may only process your data under Sodexo instructions.
Furthermore, we may share your Personal data if (i) the law or a legal procedure demands it, (ii) in response to a request by public authorities or other officials, or (iii) if we are of the opinion that it's necessary to prevent harm or loss, or to investigate unlawful activity.
As a general rule, our Case Management tool does not collect or process sensitive personal data through the system unless it is strictly necessary to manage and resolve a specific case.
“Sensitive Personal data” refers to any information concerning a person’s racial or ethnic origins, political opinions, religious or philosophical beliefs, union membership, health data, or data relating to the sexual life or the sexual orientation of a natural person. This definition also includes Personal data relating to criminal convictions and offenses.
If the collection or processing of such data is required to resolve a case, or if you voluntarily provide sensitive data in the description of your case, it will be processed securely and in accordance with applicable data protection laws and regulations.
Our Case Management tool (including the email feature) is intended for use by adults only. The system is not designed for direct use by children.
However, in certain cases, Case Management tool may process personal data of children, such as for benefits administration, family-related leave, or dependent information, when necessary to fulfil HR-related purposes. In all such instances, the processing of a child’s personal data is carried out in compliance with applicable data protection laws.
It is important that the Personal data we hold about you is accurate and up to date. Where possible, please keep us informed if your personal data changes - for example, by updating your account in the HR tools if you are a Sodexo employee, or by contacting your primary Sodexo point of contact.
Sodexo is committed to ensuring protection of your privacy rights under applicable laws. You will find below a summary of your privacy rights under the applicable data protection law:
You may have additional privacy rights under the data protection laws in your country. For more information on these rights and how to exercise them, please check your local HR data protection notice, or reach out to your primary Sodexo point of contact.
To exercise these rights,
No fee usually required:
You will not have to pay a fee to access your Personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal data is not disclosed to any person who has no right to receive it.
Third party beneficiary rights
If applicable in your country, you can enforce the third-party beneficiary rights afforded to you by the Sodexo BCRs.
We implement all possible technical and organizational security measures to ensure security and confidentiality in Processing your Personal data, in accordance with our Group Information Security Policy. Here are some examples of such measures: physical protection of our premises, authentication procedures, secured access via identifiers and confidential passwords, connection logs, encryption of certain data, regular audits, contractual agreements with our service providers, completion of Privacy Impact Assessments, among others.
Nevertheless, please be reminded that you also have a responsibility to ensure the security and confidentiality of your Personal data so we invite you to remain vigilant, especially when using an open system such as the Internet. In particular, we ask you to handle your user account information, including passwords and email addresses, with utmost confidentiality and care. Do not disclose or share this information with anyone, including other employees.
Please note that this Privacy Notice may be amended, supplemented or updated, in particular to comply with any legal, regulatory, case law or technical developments that may arise. However, your Personal data will always be processed in accordance with the policy in force at the time of the data collection, unless a compulsory legal prescription determines otherwise and must be enforced retroactively. Please consult this page from time to time if you want to be informed of any possible changes.
If you have any questions or comments with regard to this policy, please do not hesitate to contact the designated Local Single Data Protection Point of Contact for the Sodexo entity handling your case. If you are unsure who your Local Data Protection Point of Contact is, please reach out to your primary Sodexo point of contact - for example, your HR representative/recruiter, supervisor or contract manager - who will assist you in connecting with the appropriate Data Protection contact.
Latest update: November 2025.