HR Case Management Privacy Policy

Ivanti HR Case Management (“Case Management tool”) is a system that helps HR teams handle and resolve questions or issues from current and former employees, candidates, contractors and other external partners. It makes it easier to track requests, such as questions about pay, benefits, leave, or company policies, which are then reviewed, followed up on, and resolved by the right Sodexo team.

This policy applies to all individuals who access, interact with, or submit requests to the Case Management tool.

Please note that when you submit a request to the designated Case Management email address, a case is created in the Case Management tool.

1. Purpose of this policy

The following information is provided to you to inform you of Sodexo’s (hereinafter, “Sodexo” or “we”) commitments when processing Personal data.

Sodexo’s objective is to build strong, lasting relationships with everyone based on mutual trust: making sure that your Personal data is safe and remains confidential is a priority for Sodexo.

In particular, Sodexo is committed to complying with all applicable Data Protection Laws and Regulations, including with the General Data Protection Regulation of April 27, 2016 (GDPR).

Please take the time to review this privacy policy carefully to understand how your Personal data is handled within Case Management tool and to get to know your privacy rights. If you have any questions or concerns about this policy, please do not hesitate to contact the designated Local Single Data Protection Point of Contact for the Sodexo entity handling your case. If you are unsure who your Local Data Protection Point of Contact is, please reach out to your primary Sodexo point of contact - for example, your HR representative/recruiter, supervisor or contract manager - who will assist you in connecting with the appropriate Data Protection contact.

Please note that by logging into the Case Management tool, or by submitting a case via email, you acknowledge that you have read and understood this Privacy Notice and the terms specified herein.

FOR SODEXO EMPLOYEES

If you are a Sodexo employee using the Case Management tool, please make sure to review your local HR Data Protection Notice to learn more about how the Sodexo entity acting as your employer processes your data.

2. Identity and contact details of the Controller

What is a data "controller"? A controller is an entity (company) that decides “why” (the purposes) and “how” (the means) Personal data is collected and used. In particular, for the purposes of Case Management tool, the Sodexo entity that receives and processes your request or inquiry (herein referred to as the “Sodexo entity handling your case”) is the Controller for the Personal Data used for the purposes described in Section 4 below.

3. How will your Personal data be collected? Is it mandatory that you or others provide your Personal data?

We may collect your Personal data in the following ways below:

Collection of your Personal data directly from you when you provide information related to your case, such as when you open a case, submit documentation or communicate with our case management teams; and
Collection of your Personal data indirectly during your navigation of the Case Management tool or via our service providers and/or technologies.

We will collect your Personal data on a mandatory basis where this is required by applicable local laws or where this is necessary to provide the services and features of the Case Management tool.

If we are unable to collect these mandatory Personal data items, we will not be able to manage your access to the Case Management tool or to provide the related services and features.

4. For which purposes and on which legal basis will your Personal data be collected and processed? What Personal data does Sodexo hold?

We may process, use, and disclose your Personal data for certain purposes as detailed below (by no means is this list exhaustive). We will collect and process your Personal data where necessary to provide you an access to the Case Management tool, or when it is necessary to comply with a legal obligation to which we are subject. We will also collect and process your Personal data for Sodexo’s legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms. Where legitimate interests do not apply as a lawful basis for the Processing of Personal data under the applicable data protection laws, prior explicit consent will be alternatively collected if required by law.

Data Processing Activities	Purposes	Categories of Personal Data	Legal Basis
User Authentication and Access Management(only for Sodexo current employees)	To enable secure login and access to the HR Case Management tool;	Single Sign-On (SSO) User Account Information;	Legitimate interest.
Case Handling and Resolution	To register, manage, and resolve HR-related cases, queries, and requests submitted; Communication between Case Specialists and the requester during the life cycle of a case.	Name; Professional Information( Employee ID,Business Unit, Cost Center, Department, Hire Date and, where applicable, Termination Date, Job Title, Division , Legal Entity, Line / Reporting manager,Professional email address, Country, Workplace Location); Contact details; Case Information (Case ID and category,Supporting documentation, Description of issue or request, Case outcome, Communication Content with Case Management team/Case Specialists.	Contractual Performance Legal Obligation Legitimate interest
Local reporting and auditing, including compliance with Sodexo policies and local regulations	To ensure compliance with Sodexo policies and local regulations.	Name; Professional Information ( Employee ID, Business Unit, Cost Center, Department, Hire Date and, where applicable, Termination Date, Job Title, Division , Legal Entity, Line / Reporting manager,Professional email address, Country, Workplace Location); Contact details; Case Information (Case ID and category, Supporting documentation,Description of issue or request, Case outcome, Communication Content with Case Management team/Case Specialists.	Legitimate Interest Legal Obligation

5. To whom will your Personal data be disclosed?

Within Sodexo Group

As a general rule, country-specific data is not transferred to other locations (e.g., as a principle, data related to Italy should only be accessible by employees in Italy). However, data transfers may still occur to other entities within the Group, as Sodexo operates in an international and decentralized manner (e.g., for complex cases or requests, escalation to the Group teams may be required).

Please be advised that we take the security and privacy of your Personal data very seriously. This is why we ensure that access to your Personal data is limited to authorized personnel on a need-to-know basis only and that all members of staff are required to keep it confidential.

When transferring Personal data to other Sodexo entities in different countries, Sodexo is committed to complying with applicable data protection laws, including with the GDPR, to ensure such transfers are lawful and secure. In particular, Sodexo has implemented the appropriate safeguards in accordance with the relevant laws and rules, such as the Sodexo Group Binding Corporate Rules (BCR), which govern the processing of Personal data within our group, ensuring that all Sodexo affiliates adhere and comply to the same high standards of data protection, including when transferring data between our entities.

Outside of the Sodexo Group

For the purposes of this tool, your Personal data will be disclosed and transferred to our service providers, as well as their affiliates and third parties as deemed necessary, for the provision of operational and technical support.

All these service providers are bound by confidentiality and data processing agreements with Sodexo, which ensure that such providers may only process your data under Sodexo instructions.

Furthermore, we may share your Personal data if (i) the law or a legal procedure demands it, (ii) in response to a request by public authorities or other officials, or (iii) if we are of the opinion that it's necessary to prevent harm or loss, or to investigate unlawful activity.

6. How long will your Personal data be held?

We will only retain your Personal data for as long as is necessary to fulfil the purposes we collected it for and for the purposes of satisfying any legal, accounting, or reporting requirements.
Generally, we retain your Personal data for as long as necessary to manage and resolve your case;
Following the resolution or closure of your case, we may retain your data for as long as mandated by local regulations or necessary to support legal claims or protect Sodexo’s legitimate interests. The specific retention period may vary by country, in line with local legal and regulatory requirements.
Please note that we may anonymize your Personal data in such a way that you can no longer be identified and continue to use it for statistical purposes. Data used for statistical purposes is no longer classified as Personal data once it has been duly anonymized.
For more details on data retention practices, please contact the designated Local Single Data Protection Point of Contact for the Sodexo entity handling your case. If you are unsure who your Local Data Protection Point of Contact is, please reach out to your primary Sodexo point of contact - for example, your HR representative/recruiter, supervisor or contract manager - who will assist you in connecting with the appropriate Data Protection contact.

7. Sensitive Personal data

As a general rule, our Case Management tool does not collect or process sensitive personal data through the system unless it is strictly necessary to manage and resolve a specific case.

“Sensitive Personal data” refers to any information concerning a person’s racial or ethnic origins, political opinions, religious or philosophical beliefs, union membership, health data, or data relating to the sexual life or the sexual orientation of a natural person. This definition also includes Personal data relating to criminal convictions and offenses.

If the collection or processing of such data is required to resolve a case, or if you voluntarily provide sensitive data in the description of your case, it will be processed securely and in accordance with applicable data protection laws and regulations.

8. Personal Information and Children

Our Case Management tool (including the email feature) is intended for use by adults only. The system is not designed for direct use by children.

However, in certain cases, Case Management tool may process personal data of children, such as for benefits administration, family-related leave, or dependent information, when necessary to fulfil HR-related purposes. In all such instances, the processing of a child’s personal data is carried out in compliance with applicable data protection laws.

9. Your Privacy Rights

It is important that the Personal data we hold about you is accurate and up to date. Where possible, please keep us informed if your personal data changes - for example, by updating your account in the HR tools if you are a Sodexo employee, or by contacting your primary Sodexo point of contact.

Sodexo is committed to ensuring protection of your privacy rights under applicable laws. You will find below a summary of your privacy rights under the applicable data protection law:

Right of Access and rectification of your Personal data available in the Case Management tool;
Right to be forgotten/Right to erasure of your Personal data available in the Case Management tool in certain circumstances;
Right to restriction of processing in certain circumstances;
Right to data portability to another Controller;
Right to object to processing or to remove your consent;
Right to not be subject to automated processing;
Right to lodge a complaint to the relevant authority (in your country of residence or work).

You may have additional privacy rights under the data protection laws in your country. For more information on these rights and how to exercise them, please check your local HR data protection notice, or reach out to your primary Sodexo point of contact.

To exercise these rights,

You can raise queries or complaints with the designated Local Single Data Protection Point of Contact for the Sodexo entity handling your case. As mentioned above, if you are unsure who this contact is, or if you are unable to identify them, please reach out to your primary Sodexo point of contact, such as your HR representative/recruiter, supervisor or contract manager who can assist you in finding the appropriate data protection contact. You can also write at the physical address of the Sodexo entity handling your case, with the communication sent to the data protection team. Please specify in your request that it relates to the processing of your Personal data within Ivanti Case Management tool.

No fee usually required:

You will not have to pay a fee to access your Personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal data is not disclosed to any person who has no right to receive it.

Third party beneficiary rights

If applicable in your country, you can enforce the third-party beneficiary rights afforded to you by the Sodexo BCRs.

10. How will my Personal data be protected?

We implement all possible technical and organizational security measures to ensure security and confidentiality in Processing your Personal data, in accordance with our Group Information Security Policy. Here are some examples of such measures: physical protection of our premises, authentication procedures, secured access via identifiers and confidential passwords, connection logs, encryption of certain data, regular audits, contractual agreements with our service providers, completion of Privacy Impact Assessments, among others.

Nevertheless, please be reminded that you also have a responsibility to ensure the security and confidentiality of your Personal data so we invite you to remain vigilant, especially when using an open system such as the Internet. In particular, we ask you to handle your user account information, including passwords and email addresses, with utmost confidentiality and care. Do not disclose or share this information with anyone, including other employees.

11. How will you be notified if the uses of your Personal data change?

Please note that this Privacy Notice may be amended, supplemented or updated, in particular to comply with any legal, regulatory, case law or technical developments that may arise. However, your Personal data will always be processed in accordance with the policy in force at the time of the data collection, unless a compulsory legal prescription determines otherwise and must be enforced retroactively. Please consult this page from time to time if you want to be informed of any possible changes.

If you have any questions or comments with regard to this policy, please do not hesitate to contact the designated Local Single Data Protection Point of Contact for the Sodexo entity handling your case. If you are unsure who your Local Data Protection Point of Contact is, please reach out to your primary Sodexo point of contact - for example, your HR representative/recruiter, supervisor or contract manager - who will assist you in connecting with the appropriate Data Protection contact.

Latest update: November 2025.