WORLDLINE_REGISTRATION_DOCUMENT_2017

Corporate Social Responsibility report Being an ethical and fair player in business

Data protectionPolicy D.4.1.2.3 The first pillar is the Atos Data Protection Policy that sets up protection principles based on the provisions of EU Directive 95/46 on personal data protection. These are considered to be the most stringent personal data protection principles. In October 2017 this policy was enhanced and adapted to the requirements of the GDPR. In 2017, directive 95/46/EC of October 24, 1995 (the “Data Protection Directive”) was still the point of reference on the matter within the European Economic Area (the “EEA,” which includes the European Union, Iceland, Norway and Liechtenstein). Although GDPR will harmonize data protection legislation throughout the EU, the opening clauses and additional local legislation within the EU Member States will still lead to a certain degree of variation during implementation of the new European data protection law. Moreover, like the Data Protection Directive before, GDPR must first be incorporated into the EEA-Agreement before it can be implemented into national law in Iceland, Norway and Liechtenstein. In order to guarantee compliance with all applicable national laws, the Atos group has adopted a consistent policy that is obligatory for all of its entities and their employees, founded on three key elements: Principles based on the Data Protection Directive; (i) Procedures that ensure that such principles are (ii) implemented; and A training program for all Group employees, tailored to their (iii) positions and responsibilities. Worldline is working closely with the European Commission and the entire payment ecosystem to define and improve the payment value chain to reduce risks, facilitate competition and transparency while encouraging innovation and standardization for the benefit of the consumer and the merchant. D.4.1.2.4 The Atos group Chief Data Protection Officer, who reports directly to the Group Head of Compliance – one of the key executives of the Group Legal, Compliance and Contract management (“LCM”) department and an 80-member strong Personal Data & Privacy Protection Organization established in close cooperation by the Group LCM department and Group Security as well as other significant resources have been allocated to the management of the topic. This organization, which has been restructured in close cooperation with the Group Security Organization in order to improve its efficiency and the reach of personal data protection policies, practices and tools is a fundamental element in the continued implementation and extension of this strategy. Proceeding with this continuous improvement, Worldline has established the position of the Worldline Global Data Protection Officer by July 2017. A strong network of local data protection officers and data protection coordinators ensures governance and support for both, processing data for Worldline’s own account or on behalf of its customers. Governance

Data protection employees awareness D.4.1.2.5 Worldline is convinced that personal data protection would not be sufficiently addressed if its employees lacked awareness and knowledge on the matter. Worldline has therefore, as a third pillar, developed a training program targeting all Worldline’s employees to create general awareness on the topic as well as more specific trainings to point out the issues employees face in their particular domain of expertise. In 2017, 90% of Worldline employees attended mandatory online training programs related to personal data protection. D.4.1.2.6 The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. As Worldline processes a huge quantity of cardholder data on behalf of many of its clients’ customers, it fully must comply with the PCI-DSS standard. As a payment services provider, Worldline is audited every year by a Qualified Security Assessor (QSA) to keep its PCI-DSS certification. The PCI-DSS standard consists of 12 main requirements that can be summarized as follows: To build and maintain a secured network; ● To protect cardholder data; ● To maintain a vulnerability management program; ● To implement strong access control measures; ● To regularly monitor and test networks; ● To maintain an information security policy. ● Concretely, that means regular security training for employees, a review of the security policy and its application, and the management and updating of many security measures. Worldline has been PCI-DSS certified for nine years. It began certification with its e-Commerce solution (WL SIPS). Its acquisition, issuing, clearing and settlement services are now also compliant with major e-payment standards such as VISA and 3D Secure. the long termon for data protection The deployment and use of practical and effective tools such as Privacy Impact Assessment (PIA) has allowed the Atos group to remain at the forefront of data protection compliance. This is made by anticipating and integrating both the “accountability” principle and the privacy by design approach in the creation and implementation of its systems and services. PCI-DSS Standard TRUST 2020: Worldline commits on to D.4.1.2.7

D

135

Worldline 2017 Registration Document

Made with FlippingBook - professional solution for displaying marketing and sales documents online