Privacy Policy | United Kingdom

Data Protection Policy

 The Data Controller is SODEXO CIRCLES UK LIMITED            
 
Address: One Southampton Row, London WC1B 5HA

Registration number: 05244331     

PURPOSE OF THIS POLICY CIRCLES takes the protection of your Personal data very seriously.  We have developed this policy to inform you of the conditions under which we collect, process, use and protect your Personal data on our website and in the context of the services provided by CIRCLES. This policy covers all users, including those who use the Website and the services without being registered or subscribing to a specific service or account (here in after collectively, the "Users").  Please read it carefully to familiarize yourself with the categories of Personal data that are subject to collection and processing, how we use this Personal data and with whom we are likely to share it. This policy also describes your rights and how you can get in touch with us to exercise these rights or to ask us any questions you might have concerning the protection of your Personal data. This policy may be amended, supplemented or updated, in particular to comply with any legal, regulatory, case law or technical developments that may arise. However, your Personal data will always be processed in accordance with the policy in force at the time of the data collection, unless a compulsory legal prescription determines otherwise and must be enforced retroactively. 

DEFINITIONS
Beneficiary
 persons designated by the Client as the beneficiary of Circles concierge services. Cookies As defined in the Cookie Policy Controller The Circles entity which, alone or jointly with other Circles or Sodexo entities, determines the purposes and means of the processing of personal data.
Client legal entity which has concluded a contract with Circles to set up and manage a concierge service. Partners any independent natural or legal person selected by Circles to perform certain services offered as part of a concierge service. Personal data any information relating to an identified natural person or one that can be directly or indirectly identified by reference to an identification number or to one or more factors specific to this person. Processing any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor a legal person -which processes personal data on behalf of the controller. Us or Our Circles acting as a Controller. You or Users any Website user and, including but not limited to, Clients, Beneficiaries Partners or Website visitors. Website the website of Circles available at the address: https://www.circlesbysodexo.co.uk/

COLLECTION AND SOURCE OF PERSONAL DATA
We will most likely collect your Personal data directly (in particular via the data collection forms on our website, portal, in person or by telephone) or indirectly via our service providers and/or technologies on our website. We undertake to obtain your consent and/or to allow you to refuse the use of your data for certain purposes whenever necessary. You will in any event be informed of the purposes for which your data is collected via the various online data collection forms and via the Cookie Policy.

TYPES OF PERSONAL DATA COLLECTED AND USED BY US
We may specifically collect and process the following types of Personal data: the information that you provide when filling in the forms on the Website (for example, or subscription purposes, to participate in surveys, for marketing purposes etc.);the information that you provide for order fulfilment or to provide a service. the data relating to your request such as products, quantity, price, billing and delivery addresses including health information about you only where you volunteer and consent to this, for example if you report any specific food allergies after placing an order. the transaction data such as payment information and credit/debit card information that is transmitted directly to third parties who process your requests. the information you provide for the purposes of managing your job application and, where applicable, your recruitment process(e.g.: CV, information relating to your education, your professional experience, awards, diplomas, certificates, attestations, languages spoken, salary expectations, etc.); Please see our HR Privacy Policy for me information. 

-         Information collected to onboard and manage our, partners, suppliers and their sub-contractors.
-         Information collected to provide services to our corporate clients, customers, run our business, market, and improve our services.
-         your preferences in receiving marketing from us and our third parties and your communication preferences.
-         information collected through Cookies as defined in our

Cookie Policy. Please find details of the different data collected for the various purposes in the chart (Annex 1).  

PURPOSES FOR WHICH WE USE PERSONAL DATA
Personal data may be collected for the following general purposes (a more precise description of the processing of your data can be found in the Annex 1 below):  Cookies Customer     Relationship Management Marketing     Management Recruitment·        Account creation and management·        Supplier Management ·        Service Provision ·        Running and improving our business, including bids, acquisitions, and sales. In addition, please note that you have the option to click on the dedicated icons of social networks such as Instagram, LinkedIn, etc. that appear on our Websites. When you click on these icons, we may have access to the Personal data that you have made public and accessible via your profiles on the social networks in question. We neither create nor use any separate databases from these social networks based on the Personal data that you have published there, and we do not process any Personal data relating to your private life through these means. If you do not want us to have access to your Personal data published in the public spaces of your profile or your social accounts, then you should use the procedures provided by the social networks in question to limit access to this information. These links to other websites should not be considered as navigation tracking and we decline any responsibility concerning the Personal data protection practices implemented by these third-party companies, each of which acts as a separate Controller of your Personal data on their own perimeter. Once you leave our Website or click on the logo/link to one of these social networks, it is your responsibility to check the privacy policy applicable to that other platform.   

LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
We process your Personal data as part of theperformance and management of our contractual relationship with you, in ourlegitimate interest to improve the quality and operational excellence of the serviceswe offer to you or in compliance with certain regulatory obligations dependingon the purpose of processing as identified in the chart in Annex 1.Your Personal data may also be processed based onyour prior consent in the event that under certain circumstances, your consentwould be requested (e.g regarding health data or for certain types of Cookies).Please find more information about the legal basisfor each of our processing in the Annex 1below. TRANSFER OFPERSONAL DATAAs Sodexo Circles is aninternational group of companies and part of the Sodexo group of companies thismeans that your Personal data may be transferred to internal or externalrecipients that are authorised to perform services on our behalf. Conciergerequests relating to services in other regions will necessitate the transfer ofpersonal data in order to fulfil the request.Data protection lawdoes not allow the transfer of Personal Data to third countries outside UK andEEA that do not ensure an adequate level of data protection. Some of the thirdcountries in which Sodexo operates outside UK and EEA do not provide the same level of dataprotection as the country in which you reside and are not recognized by theEuropean Commission or ICO as providing an adequate level of protection forindividuals’ data privacy rights. To guarantee the security andconfidentiality of Personal data thus transmitted, we will take all necessarymeasures to ensure that this data receives adequate protection, such asentering into data transfer agreements with the recipients of your personaldata based on the applicable standard contractual clauses (“SCCs”) or othervalid transfer mechanisms and we carry out, in accordance with the EuropeanCourt of Justice's decision of 16 July 2020 "Scherms II" (Case C311-18), a risk assessment of the transferred data. If you would like toreceive a copy of the safeguards in place to secure data transfers outside theUK or European Economic Area, please contact the Data Protection Officer. 

DISCLOSURE OF PERSONAL DATA
The security and confidentiality of your Personaldata is of great importance to us. Therefore, we limit access to your Personaldata to only members of our staff who need it to process your orders or providethe requested service. We will not disclose your Personal data tounauthorized third parties. However, we may be required to share yourpersonal data with entities of the Sodexo Group (the Group Circles is a partof) and with authorized service providers (for example: technical providers[hosting, maintenance], consultants, etc.) to which we can call in the contextof our benefits.We do not allow our service providers to use ordisclose your Personal data, except to the extent necessary to provideservices on our behalf or to comply with legal obligations. In addition,we may share Personal data about you: if required by law or legal process, in response to a request from public     authorities or other officials, or if we believe that the transfer of this data     is necessary or appropriate to prevent any physical damage or financial     loss or in connection with an investigation concerning a suspected or     proven illegal activity. 

STORAGE PERIOD OF YOUR PERSONAL DATA  Sodexo Circles will keepPersonal Data that is processed accurate and, where necessary, up to date. We will store your Personal data only for as longas necessary to fulfill the purposes for which it was collected and processed.This period may be extended, if applicable, for any amount of time prescribedby any legal or regulatory provisions that may apply.To determine the retention period of your Personaldata, we take into consideration several criteria such as:  The     purpose for which we hold your Personal data (e.g., when you purchase     products on our websites, we keep your Personal data for the duration of     our contractual relationship); Our     legal and regulatory obligations in relation to that Personal data (e.g..     accounting reporting obligations); Whether     you are an active user of our services, you continue to receive marketing     communications, or you regularly browse or purchase off our Websites or     whether you do not open our emails or visit our Websites; For instance, if     you have agreed to receive marketing communications, we keep your Personal     data until you: (i) unsubscribe from receiving marketing communications     (ii) request we delete your Personal data, or (iii) after a period of     inactivity (i.e. where you have not interacted with us for a period of     time). This period is defined in accordance with local regulations and guidance. Any     specific requests from you in relation to the deletion of your Personal     data or Account.  Any     statutory limitation periods allowing us to manage our own rights, for     example the defense of any legal claims in case of litigation; and Any     local regulations or guidance (e.g., regarding cookies).Please find more information about the storageperiod of your Personal data in Annex 1below.  

SENSITIVE PERSONAL DATA

As a general rule, we do not collect sensitivePersonal data via our websites. “Sensitive Personal data” refers to anyinformation concerning a person’s racial or ethnic origins, political opinions,religious or philosophical beliefs, union membership, health data or data relatingto the sexual life or the sexual orientation of a natural person. Thisdefinition also includes personal data relating to criminal convictions andoffenses.In the event that it would be strictly necessary tocollect such data to achieve the purpose for which the processing is performed,we will do so in accordance with local legal requirements for the protection ofPersonal data and, in particular, with your explicit prior consent and underthe conditions described in this policy.  

PERSONAL INFORMATIONAND CHILDREN 
The Website is intended for use by adults who havethe capacity to enter a contract under the laws of the country in which theyare located. Child users under the age of 16, or those without legalcapacity, must obtain the consent of their legal guardians before submittingtheir data on the Website. The age limit of 16 can be reduced to 13depending on the local legislation of your place of usual residence. Our websiteis intended for a general audience and is not directed to children under theage of 13.   Please contact us if you believe that we may havecollected information from your child, and we will work to delete it. 

YOUR RIGHTSCircles is committed to ensure protection of yourrights under applicable laws. You will find below a table summarizing yourdifferent rights:

Right of access and rectification        

You can request a copy of the personal data we hold about you.

You may also request rectification of inaccurate Personal data, or to have incomplete Personal data completed.

Right to erasure        
Your right to be forgotten entitles you to request the erasure of your Personal data in cases where:

(i)           the data is no longer necessary for the purpose for which it was collected;
(ii)          you choose to withdraw your consent;
(iii)         you object to the processing of your Personal data;
(iv)         You have objected to the use of your data for direct marketing purposes.
(v)          your Personal data has been unlawfully processed;
(vi)         there is a legal obligation to erase your Personal data;
(vii)       The data was collected from you as a child for an online service.

Right to restriction of Processing        

You may request that processing of your Personal data be restricted in the cases where:
(i)           you contest the accuracy of your Personal data;
(ii)          Circles no longer needs your Personal data for the purposes of the processing;
(iii)         you have objected to processing for legitimate reasons.
(iv)         the processing of your Personal data is unlawful and you prefer the restriction of their use instead of their deletion.

Right to data portability          
You can request, where applicable, the portability of your Personal data that you have provided to Circles, in a structured, commonly used, and machine-readable format you have the right to transmit this data to another Controller without hindrance from Circles where: a)    the processing of your Personal data is based on consent or on a contract; and b)    the processing is carried out by automated means. You can also request that your Personal data be transmitted to a third party of your choice (where technically feasible).Right to object to Processing  You may object (i.e. exercise your right to “opt-out”) to the processing of your Personal data particularly in relation to profiling or to marketing communications. When we process your Personal data on the basis of your consent, you can withdraw your consent at any time. Right not to be subject to automated decisions         You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal affect upon you or significantly affects you.

Right to lodge a Complaint    
You can choose to lodge a Complaint with the Data Protection Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages. In the UK, the Data Protection Supervisory Authority is the Information Commissioner’s Office (www.ico.org/uk).You have also the right to lodge your Complaint before the courts where Circles UK has an establishment or where you have your habitual residence. You may, at any time, exercise any of the above rights or contact us with any data protection related queries or concerns by completing the request form and sending it to privacy.circles@sodexo.com as indicated in the privacy notices and/or the privacy policies provided to you at the time of the collection of your Personal Data or by completing and submitting the dedicated request webform. For more details, please consult the Local Data Protection Rights Policy.

 TRANSFER OF PERSONAL DATA As Circles is an international group, your Personal data may be transmitted to internal or external recipients that are authorized to perform services on our behalf. Some of these recipients are located in countries outside of the European Union or the European Economic Area which do not offer an adequate level of Personal data protection. Those recipients can also be other entities of the Sodexo Group. Sodexo Group has entities in over 60countries who could be recipients of your data for the purposes listed above.   
In addition, Circles has processors that can be located in the following countries: United     Kingdom, United     States of America Your personal data may be transferred to our US-based provider for marketing management purposes. To guarantee the security and confidentiality of Personal data thus transmitted, we will take all necessary measures to ensure that this data receives adequate protection, such as entering into data transfer agreements with the recipients of your personal. data based on the European Commission's standard contractual clauses (“SCCs”) or other valid transfer mechanisms and we carryout, in accordance with the European Court of Justice's decision of 16 July2020 "Schrems II" (Case C 311-18) and with the guidance of the European Data Protection Board, a risk assessment of the transferred data. If you would like to receive a copy of the safeguards in place to secure data transfers outside the European Economic Area, please refer to the Section “How to contact us”.  

SECURITY We implement all possible technical and organizational security measures to ensure the security and confidentiality of the processing of your Personal data. To this end, we take all the necessary precautions taking into account the nature of the personal data and the risks linked to their processing, in order to ensure the security of the data and in particular to avoid any deformation, deterioration or unauthorized access by third parties(physical protection of premises, authentication procedures with personal and secure access via confidential identifiers and passwords, connection log, encryption of certain data, etc.). We regularly conduct audits to verify the proper operational application of the rules relating to the security of your Personal data. Nevertheless, you also have a responsibility to ensure the security and confidentiality of your Personal data so we invite you to remain vigilant, especially when using an open system such as the Internet. 

LINKS TO OTHER WEBSITES
Occasionally, we provide links to other websites for convenience and information. These websites operate independently from our website and are not under our control. These websites are operated by third parties with their own privacy recommendations or terms of use which we strongly advise you to read. This privacy policy does not apply to any other third-party websites. We accept no responsibility for the content of these websites, the products and services offered there, or any other use that may be made of them.  

UPDATES OF OUR ONLINE PRIVACY POLICY
We may update or amend this policy as and when needed. In this case, amendments will only become applicable after a period of30 business days from the date of the amendment. Please consult this page from time to time if you want to be informed of any possible changes.  

UNSUBSCRIBING AND OPT-OUT
If you have subscribed to certain services through our Website and you no longer want to receive emails, please consult the “unsubscribe” link at the bottom of any email message you receive from us, send us an email at privacy.circles@sodexo.com 

HOW TO CONTACT US If you have any questions or comments with regard to this policy, please do not hesitate to contact us at the following address: circles.uk@sodexo.com.

Annex1: INFORMATION ABOUT THE PROCESSING OF YOUR PERSONAL DATA  

Click here to view


·        Identity Data includes [first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender].
·        Contact Data includes billing address, delivery address, email address and telephone numbers. For clients and suppliers this includes contacts within your organisation and may include publicly available information such as Companies House.
·        Financial Data includes bank account and payment card details.
·        Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us or enquired about and for suppliers, products and services we have purchased or enquired about from you.
·        Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
·        Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.  
·        Usage Data includes information about how you use our website, products and services. ·        Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.  

CONTRACT AND PROVIDING SERVICES
This means things like, carrying out our obligations arising from contracts we’ve entered into or a third party we are fulfilling a contract for, managing our relationship and notifying you about changes to our services or that we have taken over a service.

LEGAL OBLIGATIONS
This is things like keeping records for tax purposes and complying with statutory requirements.

LEGITIMATE INTERESTS
This means things like running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise, health and safety or security requirements such as managing CCTV. Where we manage CCTV on site a separate policy will set out details regards the CCTV used. It can also mean enabling you to take part in a prize draw, competition or complete a survey. Studying how customers use our products and services to develop our business. We may use profile data to establish what you want or may of interest to you and decide which offers or services may be relevant to you (we call this marketing). For example we may market an event to individuals who live near a venue based on the geographical data we hold about you.

Stay in the loop

Subscribe to the latest news and perpectives from Circles.