GDPR Compliance Policy

Date Issued	30 November 2021
Function Group	Privacy Compliance
Document Owner/Author	Director of Data Privacy Compliance Europe
Last Revision Date	4 November 2024
Version	2.0
Revision History	30 November 2021 – v1.0
	4 November 2024 – v.2.0
Interdependent Policies & Training	New Business Process Approval Policy
	Data Subject Requests Policy
	Data Breach Management Policy
	E-Training GDPR: A Practical Overview

Section

I. Purpose

II. Policy

III. Consequences of Non-Compliance

IV. Reporting and Protection from Retaliation

V. Appendix

II. PURPOSE

This General Data Protection Regulation Compliance Policy (the “GDPR Compliance Policy” or this “Policy”) governs the manner in which Aramark (the “Company”) Processes Personal Data under the General Data Protection Regulation (EU) 2016/679 (the “EU GDPR”) and the retained EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland (“UK GDPR”) (together referred to as the “GDPR”). This Policy also describes the measures the Company takes to protect Personal Data and explains how individuals can exercise their rights under the GDPR.

All capitalized terms used in this Policy, unless otherwise defined herein, have the meaning as prescribed in the GDPR.

II. POLICY

1. Scope and Applicability

This Policy complies with GDPR.

This Policy applies to all Company affiliates, employees, and Service Providers that Process the Personal Data (i) originating from, or on behalf of, an Aramark Affiliate established in a Member State of the European Economic Area (“EEA”) or Switzerland or in the United Kingdom (“UK”); or (ii) of Data Subjects located in a Member State of the EEA or Switzerland or the UK.

This Policy does not in any way override or substitute for any applicable national data protection and privacy laws and regulations. All such local laws and regulations must be followed at all times and will take precedence over the Policy in cases where they provide for stricter standards on privacy and data protection.

2. The Company’s Privacy Compliance Network

Our Privacy Compliance Program (the “Program”) defines the Company’s global framework for privacy compliance by setting out common rules to be applied by all the Company entities and employees worldwide when Processing Personal Data within the scope of GDPR (as set out above) on the Company’s behalf.The Program is designed to comply with applicable law, including transfers of Personal Data within the Company and to Service Providers.

The key elements of the Program are set forth below:

2.1 Privacy Compliance Team

In recognition of the importance of privacy compliance, the Company maintains the Privacy Compliance function within the overall Compliance organisation. The Privacy Compliance function works closely with Legal, IT Operations, Information Security, and other corporate functions to protect Personal Data and Process Personal Data in accordance with applicable law.

The main and most important purpose of the Privacy Compliance Program is to make all Employees:

Understand the GDPR Principles and how to apply them to their specific roles and functions in the organization;
Receive general privacy awareness training and education on the Company’s Privacy Compliance Program;
Understand the Company’s obligations to comply with DSRs;
Understand how to identify and report Data Breaches;
Direct all questions and requests to the dedicated GDPR inbox: gdpr@aramark.com.

2.1.1. Roles and Responsibilities

With regard to Privacy Compliance Program, the Company’s representatives shall have the roles and responsibilities as set forth below:

(i) Privacy Compliance Team Members are responsible for privacy compliance program in Europe, specifically by;

Developing privacy protection strategy, action plans, policies and standards;
Provision of business teams with support and guidance to privacy related topics;
Ensuring compliance program’s execution in all relevant countries;
Building collaboration and setting up privacy communication channels within global Compliance and Legal teams;
Identifying and analyzing privacy related risks and providing solutions and guidance for business to develop mitigation measures;
Conducting privacy risk assessments and audits to ensure GDPR compliance;
Reviewing new projects and initiatives for compliance with GDPR;
Training management on their accountability principles and employees on GDPR compliance requirements pertaining to their functions;
Building awareness and privacy compliance culture in the organization;
Maintaining records of all data processing activities and accompanying compliance documentation;
Ensuring that data subjects’ claims and requests are fulfilled or responded to;
Managing data breaches and privacy incidents;
Being point of contact and subject matter expert from all GDPR privacy related queries in the organization;
Keeping privacy compliance watch and monitor developments in data protection legislations.

(ii) Director of Data Privacy Compliance Europe:

Supervises execution of Privacy Compliance Program, assigns resources and coordinates exchange with other corporate functions;
Supports the other Privacy Compliance Team Members in all activities belonging to Privacy Compliance Program.

(iii) Local and Corporate Privacy Legal Team:

Provide legal support in privacy issues;
Assist with the engagement of outside counsel to the extent needed;
Assesses the enforceability / validity of a potential legal claims in relation to personal data processing.

(iv) Chief Information Security Officer (CISO) is accountable, through the Chief Information Officer, to the Chief Executive Officer for:

Establishing and maintaining policies to reflect organization risk tolerance and risk management best practices.
Risk assessing, approving, and maintaining a list of exceptions to these policies.

v. Business Process Owner(s):

For the purpose of this Policy, a Business Process Owner is the employee in charge of the specific process or asset involving processing of personal data and his/her role is to ensure an appropriate level of protection, confidentiality, integrity, and availability of personal data under his/her responsibility in compliance with privacy regulations.
Business Process Owner(s) shall assist the Privacy Compliance team (or delegate) in particular in the preparation of documentation required under the GDPR and in the implementation of controls necessary to achieve objective of this Policy and participate in incident response as required.

(vi) All Employees:

Adhere to the Company’s expectations und undertake their duties in manner consistent with the Company’s policies and procedures;
Undertake any necessary training as and when required;
Will seek guidance from a Privacy Compliance Team Member, a Legal Team Member, or the Data Protection Officer (if applicable) when unsure whether any of their actions might be in breach of this Policy.

(vii) Data Protection Officer (DPO)

The Company appoints a Data Protection Officer whenever it is required according to the requirements of GDPR and local data privacy laws as well as having regard to the nature and scope of the Company’s processing activities locally.

Where it is required for the Company to appoint Data Protection Officer, they play a crucial role in the implementation and deployment of the Company's Privacy Compliance Program, working closely with other members of the Privacy Compliance Team and actively participating in the program.

Where a Data Protection Officer is appointed at the Company’s specific location, it is reflected in the local privacy compliance documentation and corresponding procedures. Where it is determined that no Data Protection Officer is required to be appointed locally, there is a Privacy Compliance Team member who has responsibility for the Privacy Compliance Program in that region. A list of all DPOs and Privacy Compliance Team members can be requested by emailing gdpr@aramark.com.

2.2 Training

(i) General GDPR awareness training;

(ii) Targeted and customized privacy awareness workshops for personnel that regularly process large volumes of Personal Data and / or sensitive Personal Data (e.g., payroll) on the Company’s behalf;

(iii) Internal training regarding the administration of GDPR program for support function, lines of business or sites.

2.3 Compliance Documentation

This Policy requires that the Company maintains appropriate compliance documentation as required by GDPR, including:

2.3.1 General Documentation

(i) This Privacy Policy and associated policies that address specific aspects of Personal Data Processing, including policies on:

Approval of New Business Processes: Execution of Privacy by Design principle;
Data Breach Management: Handling security incidents involving personal data;
Data Subjects Requests Handling: Documentation and implementation of a process that allows handling of and response to data subject requests and working instructions / job aids to capture incoming requests and ensure transfer to privacy organization – dedicated to those who specifically deal with DSRs;
Data Retention and Deletion: to address data retention obligations and associated business needs, data archiving and deletion.

(ii) Data Maps: Records of Processing Activities as required under Art. 30 GDPR

(iii) Data Protection Impact Assessments as required under Art. 35 GDPR

(iv) Privacy Notices as required under Art. 13 GDPR

(v) Inter Affiliate Agreements to maintain adequate level of protection of processing of Personal Data between entities from the Company Group

2.3.2 Documentation Designed to Implement the Company’s Risk Model

(i) Description of risks and the metrics to measure the risks;

(ii) Risk model to be embedded in New Business Process Approval Policy and Data Breach Management Policy.

2.3.3. Documentation describing the Company’s Technical and Organization Measures

(i) The Company issues Standard Operating Procedures for specific functions processing personal data in order to ensure processing is compliant with GDPR;

(ii) The Company shall maintain adequate physical, electronic, and administrative security, at least to the level of industry standards, designed to protect Personal Data;

(iii) In retaining Services Providers that Process Personal Data on the Company’s behalf, the Company must follow the principle of “privacy by design,” and assess such Service Providers in accordance with the New Business Process Approval Policy;

(iv) The Company shall direct all Services Providers Processing Personal Data on the Company’s behalf to demonstrate appropriate safeguards for Processing Personal Data.

2.4 Audit and Control

The Company makes sure that independent internal audit and control functions monitor and assess the level of compliance in terms of privacy protection.

3. Processing of Personal Data

3.1 Compliance with Applicable Law

The Company shall comply with GDPR and any other applicable legislation relating to Personal Data which is within the scope of this Policy as set out above and will Process Personal Data in accordance with such laws.

3.2 Lawfulness, Fairness and Transparency

The Company shall not Process Personal Data without having a lawful reason to do so. The Company may Process Personal Data where necessary for the performance of a contract to which an individual is a party, when it is necessary for compliance with a legal obligation to which the Company is subject or where required, or with lawful prior consent. In certain circumstances, the Company may also Process Personal Data for the Company’s legitimate interests, except where such interests are overridden by an individual’s interests or fundamental rights and freedoms.

Prior to Processing Personal Data, the Company shall provide a fair and complete privacy notice, unless providing such notice is impossible or requires disproportionate efforts to provide.The Company’s privacy notices shall be designed to address: (i) who is responsible for the Processing of Personal Data, (ii) purposes of Processing, (iii) parties with whom Personal Data is shared, and (iv) a Data Subject’s rights under applicable law and how to exercise them.

When required by applicable law, we will seek an individual’s prior consent to processing (e.g., before collecting any Sensitive Personal Data).

3.3 Legitimate Purpose, Limitation and Data Minimisation

The Company must Process Personal Data solely in accordance with specified, explicit, and legitimate purposes and not in a manner that is incompatible with such purposes.

When the Company acts for its own purposes, such Processing includes (but is not limited to) the following purposes: recruitment management, human resources management, accounting and financial management and related controls and reporting, finance, treasury and tax management, risk management, management of employees’ safety, provision of active directory, IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management, including infrastructure management, systems management, applications, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering obligations or any other legal requirements, data analytics operations, legal corporate management and implementation of compliance processes.

The Company must only process Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

3.4 Data Accuracy and Storage Limitation

The Company must act in accordance with industry standards to ensure that Personal Data that the Company controls is accurate and up to date.The Company must only retain Personal Data for as long as necessary for the lawful purposes for which such Personal Data was collected, including for the purposes of satisfying any legal, accounting or reporting requirements and, where required for the Company to assert or defend against legal claims, until the end of the relevant retention period, or until the claims in question have been settled.

Upon expiration of the applicable retention period, the Company shall securely destroy Personal Data in accordance with applicable laws and regulations.

3.5 Security of Personal Data

The Company has implemented reasonable and appropriate technical and organizational measures to protect Personal Data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure, or access, in accordance with our Global Information Security Policy.

The Company has also implemented a Data Breach Management Policy, designed to ensure that, in the event of a Personal Data breach, the persons affected by the incident are protected against damage and that the competent supervisory authority is properly notified in a timely manner.

3.6 Disclosure of Personal Data

The Company may only share Personal Data in the following circumstances:

(i) With Company entities for the purposes described in this GDPR Compliance Policy;

(ii) With third parties including certain Service Providers retained in connection with the purposes described in this GDPR Compliance Policy and the services the Company provides;

(iii) With companies providing services for money laundering and terrorist financing checks and other fraud and crime prevention purposes and companies providing similar services, including financial institutions and regulatory bodies with whom such Personal Data is shared;

(iv) With courts, law enforcement authorities, regulators, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defense of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;

(v) With Service Providers who the Company engages within or outside of the Company, domestically or abroad (e.g., shared service centers, information security management, etc.), to process Personal Data for any of the purposes listed above on the Company’s behalf and in accordance with our instructions only;

(vi) With clients where necessary and only where permitted by law;

(vii) If the Company sells or buys any business or assets, in which case the Company may disclose Personal Data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.

4. Data Subject Rights

The Company is committed to ensuring that individuals can exercise their rights under applicable laws. The table below summarises Data Subject Rights.A more detailed process for responding to Data Subjects requests, as well as instructions for how to execute Data Subject Rights, are set forth in Data Subject Requests Handling Policy.

Right of access and rectification	Data Subjects can request access to their Personal Data. Data Subjects may also request rectification of inaccurate Personal Data, or to have incomplete Personal Data completed.
Right to erasure	Data Subjects have a right to be forgotten, which entitles an individual to request the erasure of the Data Subject’s Personal Data in cases where: • the data is no longer necessary for the purpose for which it was collected; • the Data Subjects chooses to withdraw consent; • the Data Subjects objects to the processing of Personal Data; • the Data Subject’s Personal Data has been unlawfully Processed; • there is a legal obligation to erase the Data Subject’s Personal Data; • erasure is required to ensure compliance with applicable laws.
Right to restriction of Processing	Data Subjects may request that processing of Personal Data be restricted in the cases where: • the Data Subject contests the accuracy of such Data Subject’s Personal Data; • the Company no longer needs the Data Subject’s Personal Data for the purposes of the processing; • the Data Subject has objected to processing for legitimate reasons.
Right to data portability	Data Subjects can request, where applicable, the portability of the Personal Data that such Data Subjects have provided to the Company in a structured, commonly used, and machine-readable format. Data Subjects have the right to transmit such Personal Data to another Controller without hindrance from the Company where: • the Processing of the Data Subject’s Personal Data is based on consent or on a contract; and • the Processing is carried out by automated means. Data Subjects can also request that the Data Subject’s Personal Data be transmitted to a third party of such Data Subject’s choice (where technically feasible).
Right to object to Processing	Data Subjects may object (i.e., exercise the right to “optout”) to the Processing of Personal Data particularly in relation to profiling or to marketing communications. When we process a Data Subject’s Personal Data on the basis of the Data Subject’s consent, such Data Subject can withdraw his/her consent at any time.
Right not to be subject to automated decisions	Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal affect upon the Data Subject or significantly affects the Data Subject.
Right to lodge a Complaint	Data Subjects can choose to file a Complaint with the Data Protection Supervisory Authority in the country of the Data Subject’s habitual residence, place of work, or place of the alleged infringement, regardless of whether he/she has suffered damages.

5. International Data Transfers

The Company shall comply with applicable law addressing international Personal Data transfers.European data protection law does not allow the transfer of Personal Data to third countries outside the European Economic Area (“EEA”)/United Kingdom (“UK”) that do not ensure an adequate level of data protection. Some of the third countries in which the Company operates outside EEA/UK do not provide the same level of data protection as the country in which a Data Subject may reside and are not recognized as providing an adequate level of protection for individuals’ data privacy rights.For transfers of Personal Data to such countries, either to entities within or outside the Company, the Company must put in place additional safeguards to protect Personal Data which might include Standard Contractual Clauses, a risk assessment, and additional technical and organizational measures.

Where the Company transfers Personal Data to entities of the the Company Group located in countries outside the EEA, or outside Switzerland, (or in the case of the UK GDPR outside the UK) those transfers are covered by the Company’s Inter Affiliate Agreement and no additional measures are to be implemented to address these transfers of Personal Data.

6. Responsibility for Enforcement; Update to this Policy

6.1

The Managing Director of each the Company entity subject to this Policy is responsible for its enforcement in her/his entity.

6.2

This GDPR Compliance Policy will be published on intranet pages of the Company entities subject to this Policy. We may update this Policy from time to time as our business changes or legal requirements change. If we make any material changes to this GDPR Compliance Policy, we will post a notice on the applicable intranet websites when the changes go into effect, and where necessary, send a direct communication to employees about the change.

7. Contact Us

If you have questions, comments, or requests regarding this GDPR Compliance Policy, please email gdpr@aramark.com or your local Privacy Compliance contact.

III. CONSEQUENCES OF NON-COMPLIANCE

Any employee, regardless of position or title, who violates any provision of this policy, may be subject to discipline, up to and including termination of employment. Contractor and agent violations may result in removal of assignment at the Company.

IV. REPORTING AND PROTECTION FROM RETALIATION

The Company encourages individuals to speak up when they see or suspect policy violations or violations of law. Individuals will never be subject to retaliation for reporting a suspected violation as long as they act in good faith and with a reasonable belief that the information they are providing is true. To submit an issue in the United States, you can use the Aramark Hotline website form at www.aramarkhotline.com or call 1-877-224-0411. Internationally, you may use the form at www.aramarkhotline.com or contact one of our international numbers available at www.aramarkinternationalhotline.com. For more information about the Aramark Hotline and other ways to raise a concern, review Aramark’s BCP for Resources for Voicing Questions or Concerns.

V. APPENDIX

GDPR Glossary

Aramark Europe – entities belonging to the European cluster, in particular: United Kingdom, Ireland, Czech Republic, Germany, Spain, Belgium, the Netherlands, France, and Luxembourg.

Biometric Data – any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification.

Consent – freely given, specific, informed, and explicit consent by statement or action signifying agreement to the processing of personal data.

Chief Information Security Officer (“CISO”) – the role assigned for responsibility for information security and cybersecurity program for the organisation.

Database – any specific set of personal data that is accessible according to specific criteria, or able to be queried.

Data Concerning Health – any personal data related to the physical or mental health of an individual or the provision of health care services to them.

Data Controller – the entity that determines the purposes, conditions, and means of the processing of personal data.

Data Breach – breach of the security of personal data that leads to violation of confidentiality, integrity and / or availability attributes of personal data that, whether intentional or not, results in loss, alteration or unauthorized access to personal data.

Data Breach Handling Process - the process of identifying and investigating a suspected data breach, as well as providing the necessary notifications and implementing remediation measures to mitigate damage to Data Subject(s) in the event of a Data Breach.

Data Erasure – entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.

Data Privacy Impact Assessment, also: (D)PIA – a tool used to identify and reduce the privacy risks of entities by analyzing the personal data that are processed and the policies in place to protect the data.

Data Portability – the requirement for data controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another data controller.

Data Processor – the entity that processes data on behalf of the Data Controller. Also: Service Provider.

Data Processing Agreement, also: DPA – a contract or other legal act under applicable law, that is binding on the data processor with regard to the data controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of data controller and data processor.

Data Protection Authority, also: Supervisory Authority – national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the European Union (EU), the European Economic Area (EEA) and in the United Kingdom (UK), respectively.

Data Protection Officer, also: DPO – an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.

Data Subject – a natural person whose personal data is processed by a data controller or data processor.

Data Subject Request, also: DSR – request regarding Personal Data Processing by European Aramark Affiliate corresponding with respective Data Subject Right.

Data Subject Rights – are the specific rights granted to data subjects under the GDPR to give them control over the way their personal data is processed. The Data Subject Rights include the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision making and profiling.

Data Transfer, also: International or Cross-Border Data Transfer – Transfers of Personal Data originating from the European Union (EU), European Economic Area (EEA) or United Kingdom (UK) to recipients in Third Countries.

Derogation – an exemption from a law.

DSR Process Flow – action steps depending on the type of incoming Data Subject Request as described in Appendix 4 to the Data Subject Requests Handling Policy.

DSR Tool – central software used by Privacy Compliance Team Members to document Data Subject Requests.

Encrypted Data – personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access.

European Aramark Affiliate – means any company that is a direct or indirect subsidiary of Aramark and has its business in a country of the European Union or United Kingdom.

General Data Protection Regulation, also: GDPR – is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA), as well as in the United Kingdom (UK) to the extent the GDPR has been retained in domestic law as the ‘UK GDPR’ following the UK’s withdrawal from the EU. The GDPR also addresses the transfer of personal data outside the EU and EEA areas and the UK, respectively.

Genetic Data – data concerning the characteristics of an individual which are inherited or acquired which gives unique information about the health or physiology of the individual.

Personal Data – any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. This includes Biometric Data and Genetic Data.

Privacy Compliance Team Member – expert in the field of data privacy compliance and privacy compliance program management who works together with Compliance and Legal teams and DPO to ensure that European Aramark Affiliates are adhering to the policies and procedures set forth in the GDPR. Also: Information Protection Coordinator.

Privacy by Design – a principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

Processing, also: Data Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Business Process Owner, also: Business Owner or Business Process Owner – is the person in charge of the specific process or asset involving processing of personal data and his/her role is to ensure an appropriate level of protection, confidentiality, integrity, and availability of personal data under his/her responsibility in compliance with privacy regulations.

Profiling – any automated processing of personal data intended to evaluate, analyze, or predict data subject behavior.

Pseudonymization – the processing of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution.

Recipient – entity to which the personal data is disclosed.

Representative – any person in the European Union explicitly designated by the data controller to be addressed by the supervisory authorities.

Service Provider – third party outsourced supplier that provides with specific service. In case that specific service involves Processing of Personal Data, Service Provider may be qualified as Data Processor or independent Data Controller.

Security Operations Center (SOC) – functional group responsible for monitoring, detecting, and responding to Information Security Events.

Third Country – a country outside the European Union (EU), European Economic Area (EEA), or United Kingdom (UK), respectively.