Policy for handling requests and complaints regarding the protection of personal data
1. Preamble
Benefit Seven SA, an entity of the Sodexo group, undertakes to process personal data in accordance with the General Data Protection Regulation (GDPR) and any other applicable law, and aims to promptly and efficiently process any querries regarding the processing of personal data by Benefit Seven SA.
In some cases, Sodexo entities may act as a proxy on behalf of a customer. In this case, the Customer shall be responsible for handling the data subject’s complaints regarding compliance with the GDPR and the data subject’s personal data.
2. Definitions
Customer – organisations or corporations which request Benefit Seven SA to perform services on their behalf for on-site employees/staff who are the end users of these services.
Complaint – a complaint lodged by a data subject with a supervisory authority or a court of law if the data subject considers that his or her rights under the GDPR have been infringed.
Controller – the entity which establishes the purposes and means of processing personal data.
Data subject – an identified or identifiable natural person whose personal data are processed by Benefit Seven, including personal data of current, past and future Benefit Seven applicants, employees, customers, consumers/beneficiaries, suppliers/collaborators, contractors/subcontractors, shareholders or any third parties
General Data Protection Regulation or GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
Group Data Protection Officer – the person designated and approved by the Sodexo Group Executive Committee to oversee data protection issues at Sodexo Group level, to define and administer the Sodexo Data Protection Compliance Programme, implicitly Benefit Seven, and data protection best practices to ensure their implementation as set out in the Regulation
Local Data Protection Single Point of Contact – the natural person designated by a Sodexo entity, responsible for dealing with local data protection issues. In some cases, the single point of local contact for data protection may be designated as the data protection officer, if required by applicable data protection laws
Personal data – any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Processing or Processing of Personal Data – any operation or set of operations performed on personal data or on personal data sets, whether or not by automated means such as collection, recording, organisation, structuring, adapting or modifying, storing, searching, consulting, using, disclosing by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Request – one of the mechanisms provided by the GDPR to individuals to allow them to exercise their rights (such as the right of access, to rectification, to erasure etc.). An individual may make a Request against any entity which processes its Personal Data.
Sodexo entity or Sodexo entities – any corporation, partnership or other entity or organisation which is admitted from time to time as a member of the Sodexo Group. Collectively referred to as “Sodexo”
3. Purpose
Benefit Seven SA undertakes to manage personal data in accordance with the General Data Protection Regulation (GDPR). We aim to quickly and efficiently address any issue related to the processing of personal data and/or non-compliance with the Sodexo Mandatory Corporate Rules.
This Policy applies to the processing of personal data directly or indirectly collected by Benefit Seven SA from all persons, including, but not limited to, past, present or future job applicants of Benefit Seven SA, employees, customers, consumers, children, suppliers/suppliers, contractors/subcontractors, shareholders or any third parties, “personal data” being defined as any data relating to an identified or identifiable person or to a person who can be identified by means reasonably likely to be used.
In this Policy, “you” shall mean any person defined above. “We”, “ours” and “Benefit Seven” shall mean Benefit Seven SA, a Sodexo entity.
4. Types of complaints considered
All complaints regarding the processing by Benefit Seven SA of personal data shall be processed in accordance with the procedure set out below (4. Processing of complaints). The following are non-exhaustive examples of the types of issues which may be raised:
If your issue does not fall within the scope of this procedure, you will be notified of the process to be followed.
5. Your rights under the GDPR
Supervisory Authority – an independent public authority which is established by a Member State, as specified in the GDPR
Abusive or illicit processing of personal data Improper use of personal data Unauthorised access to personal data
Loss of personal data.
Benefit Seven SA undertakes to ensure the protection of your rights in accordance with applicable laws.
If Benefit Seven SA processes your personal data for its own purposes, please refer to the “Your rights” section in our Privacy Policy.
If Benefit Seven SA processes personal data on behalf of a customer, Benefit Seven SA shall notify the Customer of any request of the data subject. Benefit Seven SA shall cooperate and provide the Customer with assistance in connection with the request, to the extent permitted by law and only to resolve the request.
Therefore, you may request access to your personal data. You may also request the rectification or completion of inaccurate personal data.
In addition, your right to be forgotten allows you to request the deletion of personal data in cases where (i) the data is no longer necessary for the purpose it was collected or processed, (ii) you have chosen to withdraw your consent, (iii) you object to the processing by automated means using technical specifications, (iv) your personal data has been illegally processed and (v) there is a legal obligation to delete your personal data and (vi) the deletion is necessary to comply with applicable laws.
You may also request a restriction on the processing, in cases where (i) you have challenged the accuracy of the personal data, (b) Benefit Seven SA no longer needs the personal data for the purpose of processing and (c) you have challenged the processing of legitimate reasons for the data concerning you. In addition, you have the right to request and receive the personal data concerning you.
You may also request, if necessary, to receive the personal data which you have provided to Benefit Seven SA, in a structured, commonly used and automatically readable format, or you may request your data to be transmitted to a third party of your choice.
You may object to the processing of your personal data (especially for profiling or marketing purposes). When we process your personal data based on your consent, you may withdraw your consent at any time.
These rights may be exercised in accordance with the overall policy on the management of the rights of data subjects.
6. What should you do if you have a complaint?
Our approach is to engage and resolve your complaint satisfactorily, so that you do not need to contact a regulator or a court. If you have any concerns or issues about how your personal data has been processed, you should not hesitate to contact your contact person with Benefit Seven SA, e.g. your HR manager or contact point. To help us resolve your complaint, provide a full written explanation of your issues by completing the data protection complaint form we provide.
7. Complaint handling
Complete and send the complaint form by email to the email address indicated in the
privacy policy provided when collecting your personal data and/or to the data protection officer at: privacy@benefitseven.ro
At the time of writing the complaint, in order to allow Benefit Seven SA to deal promptly and in the most efficient manner with your complaint, you are invited to follow the procedure below:
STEP 1: Complete the data protection complaint form and send it to one or more of the contact points listed on the form.
STEP 2: Your complaint will be treated confidentially and fully investigated where necessary. During this process, you may receive additional information from your local data protection officer to investigate your request. If you have not provided sufficient information in your complaint, we will notify you of the additional information required to process the complaint.
STEP 3: Once the information regarding your complaint is complete, we will contact you within thirty (30) days to propose a solution. This period may be extended in certain circumstances, depending on the nature of the complaint.
STEP 4: If you are not satisfied with the outcome of the review by the Global Data Protection Office or have not received a response within the above deadline, you may later appeal by contacting a local court or the Data Protection Supervisor. Please note that you may choose to lodge a complaint with the Data Protection Supervisor in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages as a result of the processing of your personal data.
You may access the complaint form here.