Foodex Group is highly engaged at respecting privacy and private data, considering it a trust and
confidence factor.
This policy has been developed to share with all stakeholders this engagement to respect privacy.

Data Protection Officer (DPO)

In order to preserve privacy and protect the private data, a Data Protection Officer (DPO) has been
named.
This DPO works independently and in coordination with all the group companies
The DPO is a trustworthy actor, specialized on data protection, in charge of ensuring proper
application of the data protection rules. He is the interface of the “Commission Nationale
Informatique et Liberté” (CNIL) in France. He is also the interface of any person concerned by private
data collection or treatment.

Principles applicable to Private data protection

The subsidiaries of Foodex Group operate data treatments in respect of the laws and regulations
applicable, especially the General Data Protection Regulation (GDPR), in Europe and all countries of
operation.
Specific Private data governance policies are applied locally in the subsidiaries and their application
is monitored.

Treatments with determined explicit and legitimate objectives:

The private data are gathered with a specific objective, shared with the related stakeholder. These
data cannot be used at a later stage for other objectives.
These data are collected loyally: No collection is done without informing the stakeholders.

Proportion and relevance of the data collected:

The private data collected are strictly necessary to the objective of the collection. The companies of
Foodex Group are fully engaged to minimize as much as possible the collected data, to maintain
them and update them while respecting the rights of the stakeholders.

Private data retention lead time:

The private data are stored for a limited period, not exceeding the lead time required for the
treatment
The stakeholders are informed of the conservation leadtimes. These leadtimes can vary from
depending on the data, the treatment or the legal constraints.

Confidentiality/Security of data:

Policies and processes of protection of the Information systems are implemented within the
companies of Foodex Group, adapted to the type of data and to the activities of the company
Physical, logical and organisational measures are implemented to ensure confidentiality of data and
specially to avoid unauthorized access.
The companies of Foodex Group require from their subcontractors the implementation of
appropriate measures to ensure security and confidentiality of private data. These requirements are
secured through contractual agreements
Certain private data can be sent in countries in and out of the European Union, especially in Japan
where Foodex Group headquarters is located. In such cases, the stakeholders are informed, and
specific measures are implemented to secure the data.

Individual rights:

All necessary means are implemented to ensure individual rights regarding Private data :
• A clear, comprehensive and accessible information about the treatments
• A facilitated access to Private data: All stakeholder has the right to access his/her private
data and modify/suppress them anytime and at no cost
All stakeholders can access their private data and in certain cases can have them modified
(incomplete or inaccurate), deleted or to ask to limit the treatment on them. The stakeholders also
have a portability right, given the fact that these data have been submitted with their formal
consent or by the execution of a contract.
These requests can be addressed to the DPO by email (at dpo@foodex.fr) or by postal mail to:
DPO
Foodex S.A.S.
64 rue du Ranelagh
75016 Paris

Communication and animation of the Private Data protection policy:

This policy is accessible to all through proper diffusion and is regularly updated, taking into account
the legal evolutions and organisational changes within Foodex Group
This Private Data protection policy is completed by:
– Targeted information documents describing the treatments operated, the recipients of data,
their storage duration and the processes applicable to exercise the individual rights on these
data
– Supplementary clauses inserted in required documents (contracts and internal documents)