Worldline - 2019 Universal Registration Document

EXTRA-FINANCIAL STATEMENT OF PERFORMANCE Building customer trust with reliable, secured, innovative and sustainable solutions

Data protection policy and procedures D.2.4.3

Worldline Data Protection Policy D.2.4.3.1 The first pillar of Data Protection is the Worldline Data Protection Policy that sets up protection principles based on the provisions of the General Data Protection Regulation (GDPR). These are considered to be the most stringent personal data protection principles. Although GDPR harmonized data protection legislation throughout the EU, the opening clauses and additional local legislation within the EU Member States still allow a certain degree of variation. In order to guarantee compliance with all applicable national laws, Worldline has adopted a consistent policy that is obligatory for all of its entities and their employees. Worldline's Data Protection Procedures are also managed within Worldline Security Policy, which supports incidents risk mitigation. In order to implement this policy, the Worldline Global Data Protection Officer reports directly to the Group Head of Security, Risk & Compliance (SRC). The compliance with personal data protection policies, practices and tools is a fundamental element in the continued implementation and extension of Worldline’s SRC strategy. The Company has established a strong network of data protection officers and coordinators, led by the Worldline Global Data Protection Officer. Close collaboration and regular exchanges within this network of experts ensures governance for the data processing of both Worldline’s employees and its customers. This network of officers and local coordinators aims to support the implementation of the requirements in all activities related to data protection: in the daily routines, proceedings and processing activities, both on company and local level. Thus, Worldline manages the data protection of its organization led by the Global Data Protection Officer, to assure overall compliance to data protection regulations and a reporting to the highest management level. Worldline Data Protection Officer D.2.4.3.2 network

Worldline Data Protection D.2.4.3.3 commitments Worldline structured its data protection policy to focus on and achieve the following commitments: Ensure data protection as standard in Worldline solutions ● to address data protection already during design and as a default. Defined procedures ensure “Privacy by design”, the fact that privacy is embedded in all processing of personal data by Worldline and as early as possible in the design stage. As a result, Worldline implements data protection by design and by default, taking into account the nature, scope and context of the processing activity as well as possible risks and state of the art technologies; Achieve 100% of Compliance Assessment of Data ● Processing (CADP) performed for all processing activities by 2020 (part of TRUST 2020 commitment) to ensure adequate measures to protect personal data in Worldline’s systems. The deployment and use of practical and effective tools such as Compliance Assessment of Data Processing (CADP) has allowed Worldline to comply fully with its data protection obligations. Worldline assessed the overall inventory of processing activities and already covered most of these by CADPs. In 2019, 99% of all processing activities have been covered by Compliance Assessment of Data Processing (CADP). At the same time Worldline started preparation to roll out an overall Data Protection management tool, also covering CADP, in 2020; Train 100% of the Company’s employees on a yearly ● basis regarding security and data protection. Worldline has developed a training program targeting all Worldline’s employees to create general awareness on the topic as well as more specific trainings to point out the issues employees face in their particular domain of expertise. In 2019, 85% of Worldline employees attended mandatory online training programs related to personal data protection. In 2019, Worldline managed all complaints, data subjects requests and data breaches, following the internal data protection processes in time thus fully complying with the data protection regulations. No fines have been imposed on Worldline nor have there been any investigations into processing of personal data by Worldline. [GRI 418-1]

D

115 Universal Registration Document 2019