Worldline - 2019 Universal Registration Document

WORLDLINE Worldline: a regulated Group

The 3-D Secure authentication protocol was initially designed to secure online payments, ensuring the identity of the cardholder used to limit the risk of fraud. After several years of widespread use, payment operators have highlighted the sticking points of the current protocol, in particular: transactions that wrongly fail, the lack of ergonomics of some authentication paths - particularly on mobile phones and the low adoption rate by merchants. In 2016, the shareholders of EMVCo, who guarantee the 3D Secure specifications, began the upgrade to EMV 3DS 2.0 or 3DS2. The improvements made to the protocol by EMVCo aim to: Strengthen payment security by offering updated ● authentication methods; Avoid the abandonment of payment during authentication; ● In connection with its business and internal activities, the Worldline Group collects and processes information subject to personal data protection laws and regulations in Europe as well as in other regions in which the Worldline Group operates. Such personal data processing is carried out on behalf of both Worldline Group companies themselves or their customers. Personal data processing within C.4.4.1 the European Economic Area Since May 25, 2018, the processing of personal data is regulated by the General Data Protection Regulation (GDPR, 2016/679) within the EU member-states and members of the European Economic Area. National legislations can give further regulation regarding opening clauses in GDPR in order to embed this European law into national contexts. GDPR applies to the processing of personal data, either by automated means or not. “Personal data” is broadly defined as “any information relating to an identified or identifiable natural person” and is applicable either to processing activities aimed at citizens of the EU or EEA or when the processing activities are performed in the EU. GDPR regulates the processing of personal data throughout the entire data processing life cycle: it starts with collection, goes on to the actual usage and ends when the data is no longer needed and deleted. GDPR defines the person or entity that, alone or jointly with others, determines the purposes and means of the processing of personal data to be a “data controller”. Any person or entity processing personal data on behalf of a data controller, based on the instructions of the data controller and for the purpose defined by the data controller, is considered to be a “data processor”. With respect to each of its processing activities that involve personal data, each Worldline Group entity in Europe conducts a compliance assessment of data processing (CADP) in order to assess the features of the processing in relation to the applicable data protection regulation. This is done by each legal entity in the Worldline group even though the entities need to be regarded independently for data protection. Protection of personal data C.4.4

Make the protocol compatible with apps for a more fluid ● mobile journey; Enrich transactional data shared between issuers and ● acquirers. "EMV 3DS 2.0" or "3DS2" is the official name of the latest version of the 3-D Secure protocol. It meets the Strong Customer Authentication (SCA) requirements defined by the Regulatory Technical Standards (RTS) published by the European Banking Authority (EBA) and approved in March 2018. It should be noted that the specifications published by EMVCo in October 2017 concern version 2.1.0 of the protocol, version 2.2.0 having been made public in December 2018. Only the version 2.2 answers fully to the requirements introduced by the PSD2.

C

Where a Worldline Group entity acts as data controller (for internal processing activities), it is subject to the following obligations: Only to process personal data when the criteria set forth in ● GDPR and local laws and regulations for making data processing lawful have been met (GDPR, article 6). This is done when one of the following applies: that the person concerned has given his or her consent or the processing of personal data is necessary for the purposes of pursuing a legitimate interest or for the performance of a contract to which the person concerned is a party or to comply to a legal obligation or for a processing on behalf of the public interest; To ensure that the personal data is (i) processed fairly, ● lawfully and in a transparent manner, (ii) collected for specific, explicit and legitimate purposes, (iii) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed, (iv) accurate and, where necessary, kept up-to-date, (v) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed, and (vi) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage; To be able to demonstrate compliance with the principles ● relating to processing of personal data; To take particular precautions before processing special ● categories of personal data (GDPR article 9, e.g., health or biometric data) by assessing the potential risks stemming from such processing and by checking that the explicit consent of the person concerned was received or that the processing is based on one of the exceptions that permit such processing as provided for in applicable law implementing GDPR (for instance when processing is necessary to defend the vital interests of the person concerned or of another person, or when the processing relates to data that was manifestly made public by the person concerned or is necessary to recognize, exercise or defend a right before courts);

65

Universal Registration Document 2019