School Food United by Sodexo

PRIVACY POLICY

Last update: 12/11/2020

Purpose of this policy

  • This Privacy Policy (“Policy”) describes how we use and protect your personal data for the management of this Portal, who will have access to it and for what purposes, what your rights are and how you can get in touch with us to exercise these rights or to ask us any questions you might have concerning the protection of your personal data.
  • This Policy may be amended, supplemented or updated, to comply with any legal, regulatory, case law or technical developments that may arise.

WHAT IS THE PORTAL?

  • The Portal is designed to facilitate contact-free ordering and payment for school meals.
  • The Portal School Food United is provided by Sodexo and operated on behalf of its subsidiary companies, (Class Catering Services Ltd, The Contract Dining Company Ltd, AIP Catering Ltd and Alliance in partnership Ltd) to customers for the purpose of purchasing school meals.
  • Access to the personal data processed through the Portal is limited to Sodexo and their subsidiaries authorized persons on a need-to-know basis.

DEFINITIONS

  • Portal” means the consumer web portal called School Food United
  • “Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal data.
  • “Personal data” means any information relating to an identified natural person or one that can be directly or indirectly identified by reference to an identification number or to one or more factors specific to this person.
  • Us” or “Our” means Sodexo and its subsidiaries, insofar as it is concerned.
  • You” any Portal user.

 IDENTITY AND CONTACT DETAILS OF THE CONTROLLER

  • Sodexo Ltd, Registered No: 2987170, registered office at One Southampton Row, London, WC1B 5HA. Email : DataProtection.UKandIE@Sodexo.com

COLLECTION AND SOURCE OF PERSONAL DATA

  • We will most likely collect your Personal data directly from you and the children you add to the account (in particular via the data collection forms on the Portal and transaction data).
  • We undertake to obtain your consent and/or to allow You to refuse the use of your Personal data for certain purposes whenever necessary.

 

WHAT ARE THE TYPES OF PERSONAL DATA COLLECTED AND USED BY US?

  • We may collect and use the following categories of Personal data relating to you and children you list on your account:
  • The information that You provide when filling in the forms on the Portal or corresponding with us by email or via the Portal, (for example, for subscription purposes, to participate in surveys, for marketing and rewards purposes, etc.); This may include your name, email address, phone number, details of pupils school and class, free schools meals and transaction history.
  • The information that You provide for authentication purposes your name and contact details (email and phone);
  • The information that You provide for order fulfillment or to receive a service;
  • Your transactional data;
  • Metadata and navigation data; (usage and permissions on the Portal)
  • Anonymised statistical data; With regard to each of your visits to the Portal we may automatically collect information about your computer and/or your mobile device, including, where available, your IP address, operating system and browser type, for system administration and to report aggregate information. This is statistical data about our users’ browsing actions and patterns and does not identify any individual.
  • Payment Information; In order to make a payment using the Portal, you will need to enter your payment information. Payment processing services are provided by a specialist third party provider called Stripe (the “Payments Processor”).

 

Is it mandatory that I provide personal data to THE portal?

  • Yes, some personal data mandatory. If we do not get your Personal data, or that of the pupils you are paying for school meals for, you and the pupils will not be able to use the Portal and benefit from the services offered.
  • Some personal data is optional. For example, you can provide other information to receive a more personalized service and choose whether to receive offers and news.

How and for which purposes will THE personal data COLLECTED be used?

  • We use your and pupils you add, Personal data specifically for the following purposes:
    • To manage your account and your access to the platform;
    • To communicate with You and to respond to your queries or requests;
    • To provide, deliver and improve the services and offers available on the Portal;
    • To allow you to pay your order on the Portal
    • To conduct satisfaction surveys and perform statistics analyses;
    • To make available to You or notify You about exclusive offers, products or services, unless objected by You;
    • To carry out data analytics and statistical analysis to monitor the quality and operational excellence of Our services and the Portal;
    • anonymized statistical reporting may be shared with client organisations where the Portal is used.
    • To manage Our contractual relationship with You;
    • To customize your experience on the Portal;
    • To prevent potential fraud and ensure the security of Our IT systems
    • To comply with Our legal and regulatory obligations
    • Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
    • In order to improve the Application, or where necessary (e.g. real time customer service chat or making payments) we may use small files commonly known as “cookies”. A cookie is a small amount of data which often includes a unique identifier that is sent to your computer or mobile phone (referred to in this policy as a “device”) from the Application and is stored on your device’s hard drive. A cookie records on your device information relating to your internet activity (such as whether you have visited our website before). The cookies we use on the Application won’t collect personally identifiable information about you and we won’t disclose information stored in cookies that we place on your device to third parties.
    • Google Analytics. We use Google Analytics which is a web analytics service provided by Google Inc. in order to understand how visitors to the Application use the Application. The Google Analytics cookies collect information about how people are using the Application, for example which pages are visited the most often, how people are moving from one link to another and if they get error messages from certain pages. The cookies do not gather any information that identifies you. The information these cookies collect is grouped together with information from other people’s use of the Application on an anonymous basis. Overall, these cookies provide us with analytical information about how the Application is performing and how we can improve our service.

ON WHICH LEGAL BASIS WILL MY PERSONAL DATA BE COLLECTED AND PROCESSED?

  • We may have to collect and process your Personal data where necessary for the performance of a contract to which You are subject or for the benefit of the pupils on your account, as well as for Sodexo’s legitimate interests except where such interests are overridden by your or the pupils’ interests or fundamental rights and freedoms. We will also rely on your consent to collect and process any sensitive Personal data or receive marketing. You will be able to withdraw your consent at any time.

TO WHOM WILL the PERSONAL DATA BE DISCLOSED?

  • We will not disclose your Personal data to any unauthorized third parties. Your Personal data will only be available to internal or external third parties, who need such access for the purposes listed above or where required by law, for claims or to prevent fraud. Personal data may be shared with other Sodexo Group Companies only where necessary, for fulfilment of an order, where joint services are provided, or for legal, reporting or business re-organisation.
  • The main categories of data recipients are the following (without this list being exhaustive): our Subsidiary Companies ( who provide catering services, Class Catering Services Ltd, The Contract Dining Company Ltd, AIP Catering Ltd and Alliance in partnership Ltd) authorized internal persons, third-party service providers or other contractors who process Personal data on behalf of Sodexo and, as the case may be, judicial and regulatory authorities.
  • We will need to pass your details to the payment processor in order for you to make payments on the Portal.
  • Different access levels are applied to data captured by the Portal to ensure that such data is visible only to appropriate persons who need such access for the purposes listed above or where required by law.
  • We do not authorize Our service providers to use or disclose your Personal data, except to the extent necessary to deliver the services on Our behalf or to comply with legal obligations.
  • The data that we collect from you will be stored on our secure servers within the European Economic Area (“EEA”) or UK.

How will the personal data be protected?

  • We implement appropriate technical and organizational measures to protect Personal data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with Our Group Information & Systems Security Policy.
  • We take, when appropriate, all reasonable measures based on privacy by design and privacy by default principles to implement the necessary safeguards and protect the Personal data processing. We also carry out, depending on the level of risk raised by the processing, a privacy impact assessment to adopt appropriate safeguards and ensure the protection of the Personal data. We also provide additional security safeguards for data considered to be sensitive Personal data.
  • Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Application, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
  • Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Application; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

HOW CAN I ACCESS MY PERSONAL DATA?

  • Sodexo is committed to ensure protection of your rights under applicable laws. You will find below a table summarizing your different rights, where applicable:

 

RIGHT OF ACCESS

You can request access to your Personal data. You may also request rectification of inaccurate Personal data, or to have incomplete Personal data completed.

You can request any available information as to the source of the Personal data, and You may also request a copy of your Personal data being processed by Sodexo.

RIGHT TO BE FORGOTTEN

Your right to be forgotten entitles You to request the erasure of your Personal data in cases where:

(i)    the data is no longer necessary in relation for the purposes of its collection or processing;

(ii)   You choose to withdraw your consent;

(iii)  You object to the processing by automated means using technical specifications;

(iv)  your Personal data has been unlawfully processed;

(v)   there is a legal obligation to erase your Personal data;

(vi)  erasure is required to ensure compliance with applicable laws.

RIGHT TO RESTRICTION OF PROCESSING

You may request the restriction of processing in the cases where:

(i)    You contest the accuracy of the Personal data;

(ii)   Sodexo no longer needs the Personal data, for the purposes of the processing;

(iii)  You have objected to processing for legitimate reasons.

RIGHT TO DATA PORTABILITY

You can request, where applicable, the portability of your Personal data that You have provided to Sodexo, in a structured, commonly used, and machine-readable format You have the right to transmit this data to another Controller without hindrance from Sodexo where:

a)    the processing of your Personal data is based on consent or on a contract; and

b)    the processing is carried out by automated means.

You can also request to transmit directly your Personal data to a third party of your choice (where technically feasible).

RIGHT TO OBJECT TO PROCESSING FOR THE PURPOSES OF DIRECT MARKETING

You may object (right to “opt-out”) to the processing of your Personal data (notably to profiling or to marketing communications). When we process your Personal data on the basis of your consent, You can withdraw your consent at any time.

RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISIONS

 

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You.

RIGHT TO LODGE A COMPLAINT TO THE COMPETENT SUPERVISORY AUTHORITY

You can choose to lodge a Complaint with the Data Protection Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages. Personal Data
You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence. In the UK the authority is the ICO https://ico.org.uk

 

You can use this form to make a request : click here

This electronic system allows you to log in and see the progress of your request, see and send messages and review your documents securely. This system is called One Trust and after making the request you will be sent details about how to log on. 

Alternatively, you can also send your request by email to DSAR.UKandIE@sodexo.com, in writing to 310 Broadway, Salford, M50 2UE or by calling Sodexo PeopleCentre on 0845 603 3644 and asking for DSAR team. The team will liaise with you about how you to contact you about your request and receive information.  Please note that it is usually necessary to arrange a telephone appointment to discuss your request once it has been made.

If you wish to unsubscribe to marketing emails communications, you can also do so by changing your preferences on your account.

HOW LONG WILL MY PERSONAL DATA BE HELD?

  • Generally, the Personal data collected through the Portal will be anonymized after 12 months of inactivity/closure of the account or three years after its collection unless it is required to kept for a legal reason.

How will I be notified if the uses of my data change?

  • If the use of Personal data in the Portal significantly changes, we will issue an updated Policy and/or take other steps to notify You beforehand of such changes so that You may review them and check whether they are acceptable (to the extent necessary) to You.

 

WHO IS MY LOCAL SYSTEM ADMINISTRATOR?

If You should require any further information concerning this Policy and/or the Portal, please contact our Customer Support Team by email to parents.schoolfoodunited@ainp.co.uk .