Sopra Steria - 2019 Universal registration document

4 CORPORATE RESPONSIBILITY Ethics and compliance

inclusion of dedicated sections in induction training and • business training modules, to ensure wider dissemination of information relating to anti-corruption practices; strengthened control and audit procedures. The specific p controls are covered in the procedures developed under the programme for the prevention of corruption and influence peddling and may be either ongoing or periodic. In addition to the first-level controls carried out in the form of self-checks by the employees concerned and by line managers, controls are mainly performed, depending on the area involved, by the functional departments concerned (Finance Department, Internal Control Department, Industrial Department, Legal Department, Human Resources Department). Corruption and business ethics risks are also assessed by the Internal Audit Department when auditing the Group’s subsidiaries and/or divisions, by running through some 30 specific checks, defined in collaboration with the Internal Control Department, and during specific compliance audits as part of the internal audit programme; a whistleblowing system, set up in the first quarter of 2019, p incorporating the French legal requirements laid down by the Sapin 2 and duty of care laws and rolled out to all Group entities. In 2020, the system will also be rolled out to the Group’s external stakeholders and in particular its clients, suppliers and other business partners. Tax regulations and transparency 5.4. Regarding its tax policy, pursuant to Article L. 225-102-1 of the French Commercial Code, Sopra Steria Group is committed to complying with the tax laws and regulations applicable in all of the countries in which it is present, as well as the relevant international standards, such as those of the OECD, in particular those pertaining to transfer prices, through measures including documenting its transfer prices and filing a statement for each country with the competent tax authorities. Sopra Steria Group is regularly audited by the competent tax authorities, with which it fully cooperates. Sopra Steria Group also abstains from establishing operations in tax havens (uncooperative countries or territories on the official French list or the European Union’s blacklist), has no bank accounts at banks established in such countries or territories, and more generally abstains from creating any entities that have no economic substance or business purpose.

This programme is directed by the Group’s Legal Department, which is responsible for coordinating measures to protect personal data processed by Group companies (both for their own purposes and on behalf of their clients), and includes: the appointment of Data Protection Officers (DPOs) with each of p the Group entities concerned; the rollout of a specific tool to keep records of all processing of p personal data by Group entities; the implementation of: p specific procedures to respond to requests received from • individuals exercising their rights relating to personal data (including the right of access, the right to rectification, the right to object to processing, etc. for employees of Group companies, − for third parties (for example, job applicants in connection with − recruitment procedures), for personal data processed by Group companies under − contractual arrangements with their clients, as instructed in writing by the latter; a whistleblowing procedure to report actual or suspected • abuses and irregularities relating to personal data; the adaptation of contracts (including those involved in p subcontracting activities) as well as the various internal or external materials and media to comply with legal and regulatory requirements; the rollout of a mandatory training module for all existing Group p employees and for every new employee. In addition, at Sopra HR Software, the Sopra Steria Group’s HR solutions publisher subsidiary, the Binding Corporate Rules (BCR) have been in place within its entities since 2015. PROTECTING AND SECURING CLIENT DATA 5.5.2. The Group has put in place a policy and robust system across all its entities and operations, supported by an appropriate organisational structure, procedures and controls that are reviewed annually. These measures are discussed in Section 1, “Risk factors” of Chapter 2., pages 36 to 44 of this document. Duty of care and vigilance plan 5.6. This section presents the vigilance plan, which covers all reasonable vigilance measures aimed at identifying risks and preventing serious violations of human rights and fundamental freedoms as well as adverse impacts on health, safety and the environment, as laid down by the French duty of care law (Law no. 2017-399 of 27 March 2017). These risks, serious violations and adverse impacts include those resulting from the activities of the Company and of the companies it controls, within the meaning of Article L. 233-16 of the French Commercial Code, whether directly or indirectly and across the Group’s entire scope of operations, as well as from the activities of subcontractors or suppliers with which Sopra Steria has business relations, in France and around the world.

Data protection 5.5.

PROTECTION OF PERSONAL INFORMATION 5.5.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – known as the General Data Protection Regulation, or GDPR – entered into force on 25 May 2018. Sopra Steria Group and its subsidiaries have rolled out a programme intended to ensure compliance with this regulation and local laws.

130

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2019