WORLDLINE_REGISTRATION_DOCUMENT_2017

Corporate Social Responsibility report Building customer trust with fully available and secured platforms

Compliance for the health industry in France Worldline's activity in the e-health sector is reflected in services that include the development of information systems that process personal health data and the hosting of this data. This data is particularly critical since it is confidential information. The General Data Protection Regulation (GDPR) of 2016 has just broadened the definition: "personal data relating to the physical or mental health of a person, including the providing health care services, which reveals information about the state of health of that person". This definition reflects a broader concept of health data, which today cannot be limited to the sole indication of a disease. Indeed, the health care of a person includes the knowledge of their family or social situation and involves multiple health professionals and social workers. More generally, this new European Regulation strengthens the protection of citizens compared to the previous directive of 1995. The software development and hosting activities related to these sensitive data require the compliance with a normative and regulatory framework. Software development, interoperability and security policy Concerning application development, the agency of shared health information systems (“agence des systèmes d’information partagés en santé” or ASIP Santé) (2) has defined several standards allowing e-health stakeholders to adopt "good practices" in this area. As soon as these were set up in 2009, Worldline regularly took part in the discussions and consultations on these standards, in synergy with the ASIP. These are mainly the Interoperability Framework for Health Information Systems (CI-SIS) (3) and the General Security Policy for Health Information Systems (PGSSI-S) (4) . In addition to its contributions to the CI-SIS, Worldline has also been actively involved in several working groups dealing with interoperability and, more broadly, the standardization of exchanges and the structuring of health data: Edisanté, Hprim/HL7 France, Healthcare GS1 France, IHE Europe. Since 2005, Worldline has participated several times in the "Connectathon," an Annual European Meeting which approves the interoperability of the developed solutions and allows to display true expertise in interoperability. In terms of security, the PGSSI-S is always at the heart of the e-health projects in which Worldline intervenes, especially when such projects involve the development of solutions involving with personal health data. The framework it defines is intended for the health and medico-social players and structures, but also for the industry and the field for which it is responsible for "structuring the software offer." The documentary corpus of these repositories aims to evolve with time. Worldline therefore conducts systematic monitoring that allows it to integrate any changes in its own analysis and in the resulting services and tools. The implementation of the principles and rules described in these standards provides Worldline’s customers with the guarantee of compliance with the state of the art, and the control of these standards by Worldline's experts. Therefore, Worldline is in the position to support and advise customers on the achievement of quality and safety objectives.

The regulatory focus is shifting from a banking view towards a broader view that includes the payment industry. As new parties enter the payment landscape, the complexity and dependencies are increasing. Worldline is equipped to ensure full compliance with its financial customers in this evolving regulatory and legal environment. The Eurosystem, part of the European Central Bank, promotes the safety and efficiency of payment, clearing and settlement systems under its oversight mandate. The systems play important roles not only in the stability and efficiency of the financial sector and the euro area economy as a whole, but also in the smooth conduct of the single monetary policy of the euro area and in the stability of the single currency. The Eurosystem oversight of Financial Market Infrastructures is based on the internationally accepted CPSS-IOSCO Principles for Financial Market Infrastructures (PFMIs), which were adopted by the ECB’s Governing Council in June 2013 as the standards for Eurosystem oversight of all types of FMIs in the euro area under the Eurosystem’s responsibility (1) . Worldline complies with these principles in all of its regulated countries. In Belgium, Netherlands and Latvia a regulatory Oversight regime is applicable. In Belgium and the Netherlands the Oversight requirements are also incorporated into local laws. In the Netherlands, Worldline is formally supervised by the Dutch National Bank and the Authority Financial Markets since 2014. In Belgium, the National Bank of Belgium issued the Act on Processors that entered into force in July 2017, also applicable for Worldline. Along with supervision by regulators in some countries, there is also an increase in requirements imposed on the suppliers of the financial institutions, especially in the payments market. This leads to additional requirements for Worldline. For example, in Germany the BAFIN has released in October 2017 an update of the MaRisk requirements with more strict controls/requirements for outsourcing. The General Data Protection Regulation (GDPR) (EU Regulation 2016/679) is a regulation that strengthens and unifies data protection for all individuals within the European Union and addresses the export of personal data outside the EU. Worldline will be fully compliant with GDPR by May 2018. As a Financial Market infrastructure, Worldline further ensures compliance with applicable laws, rules and regulations and customer expectations by the standardization of key certifications. Certifications for Information Security (ISO 27001), business Continuity (ISO 22301), PCI DSS and Quality (ISO 9001) support the Company’s ambition and, together with the ISAE 3402, reports provide this high level of assurance.

D

https://www.ecb.europa.eu/paym/pol/policies/html/index.en.html (1) http://esante.gouv.fr/asip-sante (2)

http://esante.gouv.fr/services/referentiels/referentiels-d-interoperabilite/cadre-d-interoperabilite-des-systemes-d (3) http://esante.gouv.fr/services/politique-generale-de-securite-des-systemes-d-information-de-sante-pgssi-s/en-savoir-plus-0 (4)

95

Worldline 2017 Registration Document