WORLDLINE_REGISTRATION_DOCUMENT_2017

The Group’s business Regulation

To carry out the formalities required by the relevant national authorities that regulate personal data protection (such as the Commission nationale de l’informatique et des libertés in France) prior to effecting data processing operations; these formalities vary according to national laws. Until May 24, 2018, depending on the country, the violation by a data controller of such obligations may result in administrative, civil or criminal sanctions, including fines that may amount up to € 1.5 million for legal persons in France. With GDPR coming into force on May 25, 2018, the violation by a data controller or by a data processor may result in administrative, civil or criminal sanctions, including fines up to € 20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In respect of its other activities, the Group acts in a capacity as “data processor” within the meaning of the Personal Data Directive or of the GDPR. In such cases, the Group processes personal data with which its clients entrust it and in respect of which such clients are the sole data controllers. In such instances, the above-described obligations applicable to data controllers apply only to such clients. However, the Group nevertheless provides guarantees to its clients that it will (i) put in place technical and organizational measures to protect the personal data they have provided, especially against accidental loss, unauthorized modification or dissemination, or malicious or unlawful access and (ii) process such data in accordance with the client’s exclusive instructions and for no other purpose than those established by such client. With GDPR coming into force on May 25, 2018, the Group will especially fulfil the following obligations: To process such data in accordance with the client’s ● exclusive documented instructions and for no other purpose than those established by such client; To put in place technical and organizational measures to ● protect personal data against accidental and unlawful destruction, accidental loss or unauthorized modification, dissemination or access, taking into account measures like pseudonymization and encryption of personal data, ensuring availability thereof and implementing a process for regularly testing, assessing and evaluating the effectiveness of these technical and organisational measures; To not engage any other processor without prior specific or ● general written authorization of the data controller; To assist the data controller in ensuring compliance with the ● relevant obligations of GDPR; At the choice of the data controller, to delete or to return all ● the personal data to the data controller after the end of the provision of services relating to processing, and to delete existing copies; To make available to the data controller all information ● necessary to demonstrate compliance with the relevant obligations of GDPR;

To maintain a register of processing activities as data ● processor; To follow the principles of data protection by design and ● data protection by default when designing solutions and preparing processing activities. Although the law applicable to personal data has to a large extent been harmonized throughout the EEA, the implementation of the Personal Data Directive by the EEA member states has given rise to a certain degree of variation among the regulatory regimes that have been established, and some of which are more restrictive than those established by the Personal Data Directive. With GDPR coming into force, this harmonization will be strengthened; nevertheless the opening clauses within the Regulation will still allow a more narrow range of national variations within data protection legislation and regulatory instances. In order to ensure a coordinated and harmonized approach respecting the applicable national laws, the Atos group has adopted a “Group Policy related to personal data protection (AP17 policy)” that is applicable to all of its entities and their employees, including those of the Worldline Group. This policy is founded on three key pillars: A set of principles based on those set forth in the Personal (i) Data Directive and subsequently GDPR; A set of procedures that ensure that such principles are (ii) implemented; and A training program for all group employees, tailored to their (iii) positions and responsibilities. As requirements regarding notification of Data Protections Authorities as well as data subjects in the case of personal data breach will be adapted with GDPR coming into force, the Group will update, in that respect, the process already implemented for personal data breach notification based on the Atos group policy “Personal Data Breach Policy (AP21 policy)”. The Group’s compliance with the various national laws and effective implementation of the above-described policy is ensured and managed by a personal data protection network, relying on a twofold legal and technical expertise, comprising Data Protection Officers and designated paralegals in each Worldline Group entity, resulting in Local Offices dedicated to personal data protection that are coordinated at Worldline Group level by the Worldine Global Data Protection Officer and at Atos group level by the Group Data Protection Officer, responsible for the Global Office. The measures described above have been put in place to comply with GDPR. An overall Worldline GDPR compliance program, in accordance with the Atos group GDPR compliance program and supported by different sub-tracks, focuses both, the initial implementation of the new data protection law as well as preparing continuous compliance.

C

65

Worldline 2017 Registration Document