2021 Universal Registration Document

4 CORPORATE RESPONSIBILITY

Engaging our stakeholders to meet their needs better

Tax regulations and transparency – Fight against tax evasion In tax matters, Sopra Steria Group is committed to complying with the tax laws and regulations applicable in all of the countries in which it is present. Sopra Steria acts in line with its values and ethical principles of integrity, commitment and accountability. Accordingly, the Group pays its taxes and duties in the countries where its operations are located and where value is created. This approach is pursued in accordance with international guidelines and standards, such as those of the OECD, particularly in relation to transfer pricing for cross-border transactions between Group companies. In this respect, the Group does not engage in tax evasion or any other practice contrary to its ethical standards. Sopra Steria does not make use of aggressive tax planning or any structuring methods for its transactions that would detach the tax location from the location of business activity. The Group thus abstains from establishing operations in tax havens (uncooperative countries or territories on the official French list or the European Union’s blacklist), has no bank accounts at banks established in such countries or territories, and more generally abstains from creating any entities that have no economic substance or business purpose. Sopra Steria Group is regularly audited by the competent tax authorities, with which it fully cooperates. The Group complies with the deadlines specified by tax authorities for providing responses to their queries, meets all of its reporting requirements and pays its taxes as required by law. To limit tax risks relating to its activities, and to take advantage of existing tax incentives, exemptions and relief, in accordance with tax laws and the reality of its activities, the Group may enlist the services of outside tax consultants. All advice thus received is reviewed internally to ensure that any resulting application is consistent with the Group’s tax principles. Data protection Protection of personal information Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – known as the General Data Protection Regulation, or GDPR – entered into force on 25 May 2018. Sopra Steria Group and its subsidiaries have rolled out a programme intended to ensure compliance with this regulation and local laws. This programme is under the responsibility of the head of the Group’s Legal Department, an Executive Committee member, who is responsible for coordinating measures to protect personal data processed by Group companies (both for their own purposes and on behalf of their clients). This programme is underpinned by an organizational and governance structure and an overarching policy on the protection of personal data. The organisational and governance structure has two tiers: a group tier and a local (country/entity) tier. Data Protection Officers have been appointed within each of the Group entities concerned. The Group Data Protection Officer relies on this structure to roll out the compliance programme across the Group.

This programme has the following goals in particular: The rollout of a specific tool to keep records of all processing of p personal data by Group entities, both for their own purposes and on behalf of their clients; The implementation of specific procedures to respond to requests p received from individuals exercising their rights relating to personal data, including the right to access, the right to rectification, the right to object to processing and the right to remove data across the system, including archived and recorded data: For employees of Group companies, • For third parties (for example, job applicants in connection with • recruitment procedures), For personal data processed by Group companies under • contractual arrangements with their clients, as instructed in writing by the latter; The review of various internal and external media to ensure p compliance with legal and regulatory requirements; The provision of standard contracts and clauses covering the p protection of personal data in the context of contractual relationships with clients, subcontractors and suppliers; The rollout of a mandatory training module for all existing Group p employees and for every new employee; The management of the whistleblowing procedure to report p actual or suspected abuses and irregularities relating to personal data. All external growth transactions involve a due diligence process covering the processing of personal data. Acquired companies are added to this compliance programme upon joining the Group. In addition, at Sopra HR Software, the Sopra Steria Group’s HR solutions publisher subsidiary, the Binding Corporate Rules (BCR) have been in place within its entities since 2015. Protecting and securing client data The Group has put in place a policy and robust system across all its entities and operations, supported by appropriate governance, procedures and controls that are reviewed annually. This point is presented in Section 1, “Risk factors”, of Chapter 2 of this Universal Registration Document (pages 38 to 44). As regards awareness-raising and training in the area of information security more specifically, the Group has a catalogue of training made available to employees via the Group Academy. Employees may take one or more of these training courses a year depending on their role. As regards awareness-raising, two e-learning modules are available, which are reviewed every two years. These are also supplemented by information messages and best practice, which are constantly shared on the Group’s intranets.

144

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2021