WORLDLINE_REGISTRATION_DOCUMENT_2017

D

Corporate Social Responsibility report Being an ethical and fair player in business

Internal social networks : in addition, Worldline’s social network, blueKiwi, is a direct communication channel with employees, who can join a specific community called the “Legal Compliance Organization.” The objective is to circulate information on compliance matters, as well as applicable internal rules and policies and enable employees to ask questions about compliance and the application of policies. Online training : The launch in late 2013 and during 2014 of specific an online training program on the Code of Ethics has enabled Worldline to achieve another step in improving its compliance program. This specific training on the principles of the Code of Ethics ensures a better understanding of the Code and promotes the adoption of fair practices on a daily basis. This e-learning training is mandatory for all employees, regardless of their job, function, country and hierarchical level. In 2017, 94% of Worldline employees completed the program [GRI 205-2]. In addition, to ensure a deeper understanding of the specific risks related to corruption, the top 800 of Atos group must complete and be certified in the “fight against corruption” training program developed by the United Nations. Such training is also required for targeted positions (sales, procurement) in the countries in which a corruption risk is identified through self-assessment by the management and compliance officer or when a risk of non-compliance with internal processes has been indicated in a country audit. protection approach Every day, Worldline processes personal data for itself or for its customers. The importance and value of personal data used in day to day business is now obvious. Personal data from both Worldline’s customers and employees is managed with special attention. First, as a fundamental right, the protection of personal data is a key topic for Worldline’s employees who expect their employer to comply with the strictest applicable local legal provisions. In addition, the business opportunities created by the processing of personal data are tremendous, as the debate on big data demonstrates. For these very important reasons, the processing of personal data requires Worldline to adopt formal commitments as well as implement strong organizational and security measures to guarantee a high level of protection to employees’ and customers’ personal data. Data protection [GRI 102-13] and [GRI 103-2 Customer privacy] D.4.1.2 Worldline’s comprehensive data D.4.1.2.1

Worldline has implemented a comprehensive personal data protection approach based on three pillars: Data protection policy; ● Data protection procedures; ● Raising employee awareness of personal data protection ● issues. This approach has been strengthened by the approval of European data protection authorities in coordination with the Atos group Binding Corporate Rules for the processing of personal data both as a data controller (i.e. for its own purposes) and as a data processor (i.e. for the processing of its customers' data). This approval constitutes an official recognition of Worldline’ comprehensive approach to data protection based on the highest European standards of regulations, deployed internally as externally. On November 4, 2014, the Atos group, including Worldline, obtained approval from the European data protection authorities of its Binding Corporate Rules (BCR) for personal data processing on behalf of its customers and for itself. This means that the personal data processed by Worldline benefits from a high level of protection as defined in the European Union Directive. All Atos group entities worldwide are bound by the same obligations and processes, regardless of the country in which they are located. The approval of the Binding Corporate Rules means that the European personal data protection authorities have recognized and validated Atos group's global and stringent approach to personal data protection. With the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) coming into force May 25, 2018, there are several changes and new requirements. Worldline is preparing to meet the requirements of GDPR, with a specific focus on but not limited to the enhanced data subjects’ rights, the assessment and mitigation of risks for data subjects and the comprehensive documentation of all activities related to data protection. More than offering such a high level of protection to its employees’ personal data only, Worldline is able to ensure the same level of protection when acting as a data processor for all its customers’ personal data. Consequently, Worldline meets customer requirements in terms of security and compliance regarding personal data of end users, customers and employees. Binding Corporate Rules: the first IT company certified to process customers’ personal data D.4.1.2.2

134

Worldline 2017 Registration Document