Sopra Steria - 2020 Universal registration document

4 CORPORATE RESPONSIBILITY Ethics and compliance

Sopra Steria does not make use of aggressive tax planning or any structuring methods for its transactions that would detach the tax location from the location of business activity. The Group thus abstains from establishing operations in tax havens (uncooperative countries or territories on the official French list or the European Union’s blacklist), has no bank accounts at banks established in such countries or territories, and more generally abstains from creating any entities that have no economic substance or business purpose. Sopra Steria Group is regularly audited by the competent tax authorities, with which it fully cooperates. The Group complies with the deadlines specified by tax authorities for providing responses to their queries, meets all of its reporting requirements and pays its taxes as required by law. To limit tax risks relating to its activities, and to take advantage of existing tax incentives, exemptions and relief, in accordance with tax laws and the reality of its activities, the Group may enlist the services of outside tax consultants. All advice thus received is reviewed internally to ensure that any resulting application is consistent with the Group’s tax principles. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – known as the General Data Protection Regulation, or GDPR – entered into force on 25 May 2018. Sopra Steria Group and its subsidiaries have rolled out a programme intended to ensure compliance with this regulation and local laws. This programme is directed by the Group’s Legal Department, which is responsible for coordinating measures to protect personal data processed by Group companies (both for their own purposes and on behalf of their clients). This programme is underpinned by an organizational and governance structure and an overarching policy on the protection of personal data. The organisational and governance structure has two tiers: a group tier and a local (country/entity) tier. Data Protection Officers have been appointed within each of the Group entities concerned. The Group Data Protection Officer relies on this structure to roll out the compliance programme across the Group. This programme has the following goals in particular: The rollout of a specific tool to keep records of all processing of p personal data by Group entities, both for their own purposes and on behalf of their clients; The implementation of specific procedures to respond to requests p received from individuals exercising their rights relating to personal data, including the right of access, the right to rectification, the right to object to processing and the right to remove data across the system, including archived and recorded data: For employees of Group companies, • For third parties (for example, job applicants in connection with • recruitment procedures), For personal data processed by Group companies under • contractual arrangements with their clients, as instructed in writing by the latter; Data protection 5.5. %'$) ) $# $ % '($# ! # $'" ) $#

The review of various internal and external media to ensure p compliance with legal and regulatory requirements; The provision of standard contracts and clauses covering the p protection of personal data in the context of contractual relationships with clients, subcontractors and suppliers; The rollout of a mandatory training module for all existing Group p employees and for every new employee; The management of the whistleblowing procedure to report p actual or suspected abuses and irregularities relating to personal data. All external growth transactions involve a due diligence process covering the processing of personal data. Acquired companies are added to this compliance programme upon joining the Group. In addition, at Sopra HR Software, the Sopra Steria Group’s HR solutions publisher subsidiary, the Binding Corporate Rules (BCR) have been in place within its entities since 2015. The Group has put in place a policy and robust system across all its entities and operations, supported by an appropriate organisational structure, procedures and controls that are reviewed annually. This point is presented in Section 1, “Risk factors”, chapter 2 of this Universal Registration Document (pages 36 to 42). As regards awareness-raising and training in the area of information security more specifically, the Group has a catalogue of training made available to employees via the Group Academy. Employees may take one or more of these training courses a year depending on their role. As regards awareness-raising, two e-learning modules are available, which are reviewed every two years. These are also supplemented by information messages and best practice, which are constantly shared on the Group’s intranets. Duty of vigilance and vigilance 5.6. plan This section presents the vigilance plan, which covers all reasonable vigilance measures aimed at identifying risks and preventing serious violations of human rights and fundamental freedoms as well as adverse impacts on health, safety and the environment, as laid down by the French duty of vigilance law (Law no. 2017-399 of 27 March 2017). These risks, serious violations and adverse impacts include those resulting from the activities of the Company and of the companies it controls, within the meaning of Article L. 233-16 of the French Commercial Code, whether directly or indirectly and across the Group’s entire scope of operations, as well as from the activities of subcontractors or suppliers with which Sopra Steria has business relations, in France and around the world. The vigilance plan was prepared by the main departments responsible for the areas covered by the duty of vigilance, discussed with the Group’s Executive Committee and then validated by Executive Management. It was also presented to the Works Council. In addition, as a preliminary step for the preparation of the plan, the results of the Group’s risk mapping exercise for the issues involved were aligned with those of its materiality analysis. %'$) ) # # ( *' # ! #) )

134

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2020

Made with FlippingBook - Online catalogs