Worldline - 2019 Universal Registration Document

WORLDLINE Worldline: a regulated Group

Data processing carried out C.4.4.2

Although by introducing GDPR the law applicable to personal data has to a large extent been harmonized throughout the EEA, the opening clauses within the Regulation still allow a narrow range of national variations within data protection legislation and regulatory instances. In order to ensure a coordinated and harmonized approach respecting the applicable national laws, the Group has adopted a policy related to personal data protection that is applicable to all of its entities and their employees, including those of the Worldline Group. This policy is founded on three key pillars: A set of principles based on those set forth in GDPR; (i) A set of procedures that ensure that such principles are (ii) implemented; and A training program for all group employees, tailored to (iii) their positions and responsibilities. To comply with requirements regarding notification of Data Protections Authorities as well as data subjects in the case of personal data breach, the Group has implemented a process for personal data breach notification built on the Group's policy related to personal data protection. The Group’s compliance with the various national laws and effective implementation of the above-described policy is ensured and managed by a personal data protection network, relying on a twofold legal and technical expertise, comprising Data Protection Officers and designated paralegals in each Worldline Group entity, resulting in Local Offices dedicated to personal data protection that are coordinated by the Global Data Protection Officer and the Group Chief Data Protection Officer, the latter being in charge of the Global Office. The measures described above have been put in place to comply with GDPR. Continuous improvements and regular synchronization the Group Data Protection Community ensures consistent compliance.

outside the European Economic Area

The Worldline Group carries out personal data processing operations in numerous countries outside of the EEA. Such processing is in some instances conducted on behalf of customers themselves located outside the EEA, while in others it is conducted on behalf of customers located within the EEA to whom the Worldline Group provides “offshore” services as an integral part of the services it offers. Although there is no international regulation that harmonizes all of the principles applicable to personal data protection, the regulatory framework applicable within the EEA is seen as the authority on such matters due to its strict and pioneering nature and the influence it has had on legislation that has emerged in numerous countries that have used it as a model, such as in North Africa, Latin America and Asia. This is why the Group implemented, for 2019, the Binding Corporate Rules (or “BCR”) aimed to ensure that all entities worldwide whatever the country they are located in, give a high level of protection to the personal data they process, either as a data controller or as a data processor. The BCR constitutes stringent commitments for all Group entities, whatever the country they are located in (Europe, Latin America, Africa, Asia, etc.), whereby they commit to respect numerous principles related to the personal data they process. These principles are based on requirements defined by GDPR. These commitments were recognized by a large number of European personal data protection authorities as enabling a high level of data protection, when such data is processed on behalf of the Group’s clients (the Group acting as a data processor) or for itself as a data controller. They allow Worldline entities to transfer such data out of the European Union to other Group entities in a simplified, easy and secured fashion.

C

67

Universal Registration Document 2019