Exclusive Networks // Sustainability Report 2022

Risks and opportunities Risk factors

Risk related to personal data breach

Criticality level: ■ ■ ■

Risk description

Risk management

In order to mitigate the impact of this risk, the Group is focusing on the following actions:  monitoring and strengthening the compliance system with the support of the relevant departments in each country;  the continuous improvement of the systems in each country by the data protection officers (DPO);  training and awareness-raising of employees on the protection of personal data (with the development of e-learning to ensure continuity of training);  the conduct of multi-level controls. For more information, see Chapter 6, sections 6.4 “Information system protection” and 6.5 “Data protection”.

In conducting its business, the Group collects and processes personal data from customers, end-users and prospects. Global privacy policies have developed considerably creating a complex compliance environment governed by legislation such as the European Union’s’ General Data Protection Regulation (GDPR) in force since 25 May 2018, in addition to the e-privacy Directive 2002/58/EC and national legislation. These regulations establish a legal framework for the protection of personal data, with enhanced rights for citizens and new obligations for businesses in this area. Any real or perceived breaches or improper use of, disclosure of, or access to such data could harm the Group’s reputation as a trusted brand and could have a material adverse effect on the Group’s business, results of operations or profitability. Should there be a breach of the General Data Protection Regulation (GDPR), the Commission Nationale Informatique et Libertés (French data protection authority – CNIL) may issue the following sanctions in France once the right to reply has been exercised:  a reprimand;  an injunction to comply. This may be accompanied by a penalty of up to €100,000 for every day of delay;  a temporary or definitive restriction on processing, a ban or withdrawal of an authorisation;  the withdrawal of a certification;  the suspension of data flows intended for a recipient located in a third country or for an international organisation;  a partial or whole suspension of the decision to approve binding corporate rules (BCR);  an administrative fine of up to €10 million or 2% of the company’s annual sales worldwide. For more serious breaches, this amount may be increased to €20 million or 4% of annual sales worldwide;  the publishing of its decision, as determined by the CNIL’s restricted committee.

…/…

18

Exclusive Networks

Sustainability Report 2022

#WeAreExclusive

Made with FlippingBook. PDF to flipbook with ease