Worldline - 2019 Universal Registration Document

C

WORLDLINE Worldline: a regulated Group

To put in place technical and organizational measures to ● protect personal data against accidental and unlawful destruction, accidental loss or unauthorized modification, dissemination or access, taking into account measures like pseudonymization and encryption of personal data, ensuring availability thereof and implementing a process for regularly testing, assessing and evaluating the effectiveness of these technical and organizational measures; To inform persons concerned about the fact that their ● personal data is being processed and (a) the identity and contact details of the data controller, (b) the contact details of the data protection officer, (c) the purpose of the processing as well as the legal basis, (d) if applicable the legitimate interest, (e) the recipients or categories of recipients of the personal data, (f) where applicable, the fact that Worldline intends to transfer personal data to a third country, (g) the period for which the personal data will be stored, (h) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability, (i) the existence of the right to withdraw consent at any time, (j) the right to lodge a complaint with a supervisory authority, (k) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data, and (l) if applicable the existence of automated decision-making, including profiling; To refrain from transferring personal data outside of the ● EEA unless the European Commission considers that the recipient country ensures an adequate level of protection or the transfer is governed by contractual clauses of the type established by the European Commission; To only use data processors providing sufficient ● guarantees to implement appropriate technical and organizational measures; To maintain a register of processing activities as data ● controller; To follow the principles of data protection by design and ● data protection by default when designing solutions and preparing processing activities; To carry out the formalities required by the relevant ● national authorities that regulate personal data protection (such as the Commission Nationale de l’informatique et des libertés in France) prior to effecting data processing operations; these formalities vary according to national laws.

The violation by a data controller or by a data processor may result in administrative, civil or criminal sanctions, including fines up to € 20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In respect of activities performed under instruction of a controller, the Group entities act as “data processor” within the meaning of GDPR. In such cases, the Group entity processes personal data with which its clients entrust it and in respect of which such clients are the data controllers. In such instances, the above-described obligations applicable to data controllers apply only to such clients. However, the Group nevertheless provides guarantees to its clients that it will (i) put in place technical and organizational measures to protect the personal data they have provided, especially against accidental loss, unauthorized modification or dissemination, or malicious or unlawful access and (ii) process such data in accordance with the client’s exclusive instructions and for no other purpose than those established by such client. The Group especially fulfils the following obligations: To process such data in accordance with the client’s ● exclusive documented instructions and for no other purpose than those established by such client; To put in place technical and organizational measures to ● protect personal data against accidental and unlawful destruction, accidental loss or unauthorized modification, dissemination or access, taking into account measures like pseudonymization and encryption of personal data, ensuring availability thereof and implementing a process for regularly testing, assessing and evaluating the effectiveness of these technical and organizational measures. These technical and organizational measures are part of the instruction of the controller; To not engage any other sub-processor without prior ● specific or general written authorization of the data controller; To assist the data controller in ensuring compliance with ● the relevant obligations of GDPR; At the choice of the data controller, to delete or to return ● all the personal data to the data controller after the end of the provision of services relating to processing, and to delete existing copies; To make available to the data controller all information ● necessary to demonstrate compliance with the relevant obligations of GDPR; To maintain a register of processing activities as data ● processor; To follow the principles of data protection by design and ● data protection by default when designing solutions and preparing processing activities.

66

Universal Registration Document 2019

Made with FlippingBook Ebook Creator