Data protection rights management policy 

1.    Preamble

Pluxee Group is committed to handling Personal Data in compliance with the General Data Protection Regulation (GDPR) and any other applicable law and aims to deal promptly and efficiently with any queries relating to the Pluxee entities’ processing of Personal Data.

In some cases, Pluxee entities may act as a Processor on behalf of a Client. In this instance the Client is responsible for handling Data subject Requests relating to compliance with the GDPR and the Data subject’s Personal Data. 

2.    Definitions 

You will find hereafter definitions of various technical terms we use in the following pages. The meaning of every technical term written with a capital letter will be defined in this section.

•    Client means organizations or corporations that instructs, as Data Controller, Pluxee to perform services and process Personal Data on their behalf for their employees that are the end-users of these services.

•    Complaint means the complaint lodged by a Data subject with a Supervisory Authority or a court of justice if the Data subject considers his or her rights under GDPR are infringed.

•    Data Controller means the entity that determines the purposes and means of the Personal Data processing. 

•    Data subject means an identified or identifiable individual whose Personal Data is concerned by processing within Pluxee, including the Personal Data of Pluxee’s current, past and prospective applicants, employees, clients, consumers/beneficiaries, suppliers/vendors, contractors/subcontractors, shareholders or any third parties.
 
•    General Data Protection Regulation or GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC 

•    Group Data Protection Officer means the person appointed to oversee data protection issues at the Pluxee Group level, to define and administer the Pluxee data protection compliance program and good practices relating to data protection and to ensure their implementation. 

•    Local Privacy Leader(s) means the individual appointed by a Pluxee entity, in charge of handling local data protection issues. In some cases, the local Privacy Leader can be appointed as Local Data Protection Officer where required by applicable data protection law. 

•    Personal Data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

•    Pluxee Group entity or Pluxee entities means any company or economic interest which is directly or indirectly owned by Pluxee International with at least 50% of the share capital and voting rights (Collectively referred to as “Pluxee“ or “Pluxee Group”). 

•    Processing or Personal Data Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

•    Request means one of the mechanisms provided by the GDPR to individuals to allow them to exercise their rights (such as the right of access, to rectification, to erasure etc.). An individual may make a Request against any entity which processes its Personal Data.

•    Supervisory Authority means an independent public authority which is established by a Member State as specified in the GDPR. 
 

3.    Scope

This policy applies to the global organization of Pluxee entities (hereinafter designated as “Pluxee”) for all dimensions and activities, in all geographies where we operate and where the General Data Protection Regulation applies.

This policy applies to the Processing of Personal Data collected by Pluxee, directly or indirectly, from all individuals including, but not limited to Sodexo’s current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties, with “Personal Data” being defined as any data that relates to an identified or identifiable individual or a person who may be identified by means reasonably likely to be used.

In this policy, “you” and “your” means any covered individual. “We”, “us”, “our” and “Pluxee” means Pluxee.

4.    Your data protection rights under GDPR
 

Under the GDPR you are offered various rights that you can exercise under the conditions set out in the regulation. You will find below a table summarizing the different rights you usually own when Pluxee is acting as a Data Controller:  

Rights  Description of your rights 
Right of access and rectification  You can obtain all the information listed under Art. 15 GDPR and/ or request a copy of the Personal Data we hold about you. You may also request rectification of inaccurate Personal Data, or to have incomplete Personal Data completed. 
Right to erasure  Your right to be forgotten entitles you to request the erasure of your Personal Data in cases where: 
•    the data is no longer necessary for the purpose for which it was collected; 
•    you choose to withdraw your consent; 
•    you object to the processing of your Personal Data; 
•    your Personal Data has been unlawfully processed; 
•    there is a legal obligation to erase your Personal Data; 
 
Right to restriction of processing  •    You may request that processing of your Personal Data be restricted in the cases where: 
•    you contest the accuracy of your Personal Data; 
•    we no longer needs your Personal Data for the purposes of the processing; 
•    you have objected to processing for legitimate reasons. 
•    the processing of your Personal Data is unlawful and you prefer the restriction of their use instead of their deletion. 
 
Right to data portability  You can request, where applicable, the portability of your Personal Data that you have provided to us, in a structured, commonly used, and machine-readable format and you have the right to transmit this data to another Controller without hindrance from us where: 
•    the processing of your Personal Data is based on your consent or on a contract; and 
•    the processing is carried out by automated means. 
•    You can also request that your Personal Data be transmitted to a third party of your choice (where technically feasible). 
 
Right to object to processing  Data particularly in relation to profiling or to marketing communications. When we process your Personal Data on the basis of your consent, you can withdraw your consent at any time. 
Right not to be subject to automated decisions  You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal affect upon you or significantly affects you. 
Right to lodge a complaint  You can choose to lodge a complaint with the Data Protection Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages. You have also the right to lodge your complaint before the courts where the Pluxee entity has an establishment or where you have your habitual residence. 
Right to withdraw consent In the circumstances where you may have provided your specific consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. When you provide your consent, you will ordinarily be provided with the method to withdraw it. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Right to define post-mortem directives  In accordance with the French Data Protection Act, you have the possibility to define directives relating to the conservation, deletion, and communication of your Personal data after your death. 

These directives can be registered with a trusted digital third party, certified by the CNIL and responsible for enforcing your wishes in accordance with the requirements of the applicable regulations on the protection of Personal Data. 
 

Please refer to our Pluxee Group Data Protection Statement for more details on the legal basis applying to the data processing activities carried out by Pluxee International and /or the entities of the Pluxee Group.  You may also consult the local and/or service-related privacy policies or notices brought to your attention prior to the collection of your data to have more specific information on specific and/or local data processing activities. Local laws may also grant you additional rights which will be detailed in local privacy policies or notices.

Where Pluxee processes Personal Data on behalf of a Client, the latter will usually provide you with the required information on your rights, how you might exercise your rights and the way your Requests will be processed by the Client. 
 

5.    How to submit a Request?

To help us to deal with your Request, please provide a full written explanation of your query by completing the Request Form in Annex or by completing the Request webform.

Please note that these request forms exist to facilitate the filing of your Request and its processing by our teams but their use is not mandatory. You can also raise your queries or complaints orally or in writing with no defined form.

6.    How will your Request be handled? 

Our approach is to engage positively and resolve your Request in a satisfactory manner. This is why we have put in place internal processes that enable our teams to handle your requests in the best possible way.

Once you have drafted and notified your Request to us, to Pluxee will deal promptly with your Request in the most efficient manner, as follows: 
 

STEP 1: Your Request will be treated confidentially and fully investigated where necessary. During this process, you may receive communication from the relevant Pluxee Privacy teams and/or Pluxee’s Global Data Protection Office to investigate your concern. If we need additional information to address your Request, we will let you know what further elements are  needed.  At this stage, if you did not provide us with all the mandatory information elements in the initial Request and/or in response to our communication we might not or not sufficiently be able to deal with you Request.

STEP 2: Once the information related to your Request is complete, we will contact you within thirty (30) days to provide you with an answer. This deadline may be extended in certain circumstances, depending on the nature of the Request. At this stage the ball is in our camp and no action is required from your side.

STEP 3: If you have any queries with the Processing of your Personal Data or consider that your Request has not been processed in a satisfactory manner by us, you should not hesitate to raise your query to Pluxee Group DPO at dpo@pluxeegroup.com. We will get back to you as soon as possible.
Please note that you can also choose to lodge a Complaint with the Data Protection Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages. 

You have also the right to lodge your Complaint before the courts where the Pluxee entity has an establishment or where you have your habitual residence. 

If Pluxee receives a Request from a Data subject, while acting as a processor on behalf of a Client, the Request will be notified to the Client in accordance with the agreed timeframe. The Client will be in charge of handling such Request. However, Pluxee will cooperate and provide the Client with assistance in relation to the request, to the extent legally permitted.

Pluxee will directly handle Requests only when it is agreed with the Client or if the Client disappeared or cease to exist in law or became insolvent. 
 

 

 ANNEXE: REQUEST FORM

[To be sent by email to the generic email address as indicated in the information notices and/or the privacy policies provided to you at the time of the collection of your Personal Data and/or to the Global Data Protection Office at the following email address: dpo@pluxeegroup.com]


Contact Information:
(Name (Last, First))    
(Telephone number)    
(Email address)    
(Postal address)    
Please indicate your preferred method of contact by ticking the box to the right. 
If your preferred method of contact is the postal address, please indicate where you would like our response to be sent:  
• Home Address or • Business Address 
If business address, please provide company name:     
    
    

In order to help us identify systems that may contain information about you, please check the boxes below that describe your relationship with Pluxee:
□    Job applicant
□    Former employee or contractor
□    Current employee of Pluxee
□    Employee family member, dependent, beneficiary or emergency contact
□    Employee of Pluxee Client or business partner
□    Employee of a Pluxee supplier or vendor
□    Individual – Consumer 
□    Other – please describe
    
    


If your information may be under another name, please provide that name and reason for the change:
    
    
    


We may request from you a certified copy of a valid official identification documentation to allow us to verify your name and address (e.g. valid passport or identity card).

If you request to access your Personal Data or request data portability, please specify the Personal Data or the categories of Personal Data which is subject to the request and confirm that they may be sent by email to the address above or, if technically feasible, to the address of a new Controller as set out below, for the data portability request:
    
    

If you request rectification of your Personal Data, please specify below the data to be rectified, and provide the justification for such request:
    
    

If you request that the Processing of your Personal Data is restricted please specify the processing in issue, and provide the justification for such request:

    
    

If you request the erasure of your Personal Data, please specify below the Personal Data to be deleted and provide the justification for such request:
    
    


If you object to the processing of your Personal Data, please specify below the Personal Data you object to us processing and provide the justification for such objection:
    
    


If you believe that your data protection rights may have been breached, you have the right to lodge a Complaint with the applicable supervisory authority, or to seek a remedy through the courts. You can also contact us if you have any queries or concerns. In such a case you can detail your query or concern here:
 


The information collected in this form is intended to enable the Group Data Protection Office to respond to your Request. This information will be archived after the Request has been treated for (05) five years and then deleted. For any question related to this Request Form, please send your request at the following email address: dpo@pluxeegroup.com