WORLDLINE_REGISTRATION_DOCUMENT_2017

The Group’s business Regulation

Compliance with technical standards

C.5.4

Payment services providers, and, in particular, terminal manufacturers must comply with a number of security standards, including, in particular, standards established by the Payment Card Industry – Security Standard Council (“PCI-SSC”). These security standards seek to improve payment card data security by adopting a broad range of specific standards that apply to the various components of payment card transactions. The main such standard is the Payment Card Industry – PIN Entry Device standard (“PCI-PTS,” formerly PCI-PED), which applies to devices that require the entry of a PIN. The aim of this standard is to guarantee that cardholders’ confidential PINs are always processed by payment acceptance devices in a manner that is fully-secured and to ensure the highest level of payment transaction security. Other PCI-SSC standards have emerged, including PCI-DSS (Payment Card Industry – Data Security Standard) aimed at preserving the confidentiality of payment transaction data and PCI-UPT (security standard specific to unattended payment modules). The development of these standards, which requires continual modifications to existing requirements, is managed by the PCI-SSC’s founding members: Visa, MasterCard, JCB, American Express and Discover in consultation with other electronic payment industry players

(payment terminal manufacturers, regulatory bodies, retailers, banking associations, banks, processors, etc.). This system thus allows companies to participate in the development of standards and the rules established to implement them. The Group participates in the European working group on protocol By way of example, the Group has obtained the PCI-DSS (Payment Card Industry – Data Security Standard) certification for its secure online payment platform and its Pay-lib service (cloud-based electronic wallet). This standard aims to ensure that the cardholder’s confidential data as well as any sensitive transaction data are always securely processed at the systems and databases level. The Group is also subject to international certification standards such as ISO 9001, which relates to requirements for quality management systems and ISO 14001 which relates to environmental requirements for technological infrastructure. Lastly, the Group is subject to international security requirements such as the international standard for payment card security, established by the Europay MasterCard Visa User Group (“EMV User Group”), in which the Group participates. The Personal Data Directive and subsequently GDPR apply to automated or non-automated personal data processing when the relevant data is included or is meant to be included in a filing system. “Personal data” is broadly defined as all information relating to a natural person who has been identified or is identifiable directly or indirectly, regardless of his or her country of residence or nationality. The Personal Data Directive and subsequently GDPR require persons and entities responsible for processing personal data that are either incorporated in an EEA member state or have recourse to data processing functions in an EEA member state, to put in place a number of measures prior to and at the time the relevant data is collected, while it is stored and until it is erased. According to the Personal Data Directive and subsequently GDPR, the person or entity that, alone or jointly with others, determines the purposes and means of the processing of personal data (as opposed to a simple subcontractor acting on behalf of a third-party), is considered to be a “data controller”. Any person or entity processing personal data on behalf of a data controller, based on the instructions of the data controller and for the purpose defined by the data controller, is considered to be a “data processor”. With respect to each of its activities that involve personal data processing, each Worldline Group entity in Europe conducts an analysis on a case by case basis in order to determine whether it is acting in a data controller or data processor capacity. standardization.

C

Protection of personal data

C.5.5

In connection with its business activities, the Worldline Group collects and processes information subject to personal data protection laws and regulations in Europe as well as in other regions in which the Worldline Group operates. Such personal data processing is carried out on behalf of both Worldline Group companies themselves and their customers.

C.5.5.1

Personal data processing within the

European Economic Area

Until May 24, 2018, Directive 95/46/CE of October 24, 1995 (the “Personal Data Directive”) is the point of reference for personal data protection regulation within the European Economic Area (the “EEA,” which includes the European Union, Iceland, Norway and Liechtenstein). In France, the Personal Data Directive was implemented through various amendments to law no. 78-17 of January 6, 1978, which relates to information technology, filing system and civil liberties, with the main amendment having been adopted through law no. 2004-801 of August 6, 2004. From May 25, 2018, the General Data Protection Regulation (GDPR) will replace the directive and the national laws within the EU member-states. National legislation will give further regulation regarding opening clauses in GDPR in order to embed this European law into national contexts.

63

Worldline 2017 Registration Document