Worldline - 2020 Universal Registration Document

EXTRA-FINANCIAL STATEMENT OF PERFORMANCE Building customer trust with reliable, secured, innovative and sustainable solutions

Fast acting adaptation of Worldline to the Covid-19 crisis monitoring D.2.3.4

The Worldline Group has monitored the evolution of the Covid-19 outbreak since the beginning of January 2020. Worldline has activated Global Crisis Management and Business Continuity Plan. The aim was to keep protecting the health of the Group’s employees and ensuring a continuous delivery of the Group’s services. Our employees were fully able to work, from home or on site depending on the local recommendations. Key principles have been defined with the following priorities:(i) protecting the employee and respecting national recommendations; (ii) ensuring the business continuity and (iii) preparing Worldline for the after-crisis. At global level Global Business Continuity coordination has been implemented to follow the evolution of the situation and

to ensure regular monitoring with implementation of work from home as a recovery strategy for staff and follow-up of on-going cases with HR teams. The COMEX has been able to monitor and act directly, based on the input of management on local country level, with local governmental rules and regulations. At the local level, Worldline also activated Business Continuity Plan in collaboration with the Human Resources, Facilities and Security and Safety teams. The key role has been to monitor the local situation and to support the dedicated Global Team in the communication and awareness as well as the timely implementation of measures and escalation through defined Crisis Management Processes. For more information on initiatives in this regard taken by Ingenico, please consult Chapter 2.4.2

Guarantee data protection D.2.4

[GRI 102-13] [GRI 103-1 Customer privacy] [GRI 418-1]

Worldline’s comprehensive data protection approach D.2.4.1

D

Every day, Worldline processes large volumes of personal data for its ow n sue and on behalf of its customers. As a fundamental right, those personal data, used in day to day

Worldline complies with data protection regulation, informs and limits collection of personally identifiable information, information to the strict minimum required for the running of its Consistent with this approach, Data Protection was prioritised among the four most significant extra-financial business risks identified by Worldline.

business from both Worldline’s customers and employees are operations. managed to comply with the strictest applicable regulations. Worldline also leverages the stakes raised by the increasing processing of personal data as a differentiating criteria, thereby guaranteeing a high level of protection to its employees’ and customers’ personal data. In this regard,

Data protection policy and procedures D.2.4.2

TC-SI-220a.1 TC-SI-220a.2 TC-SI-220a.3 TC-SI-220a.4 TC-SI-220a.5

Worldline Data Protection Policy D.2.4.2.1 The first pillar of Data Protection is the Worldline Data Protection Policy that sets up protection principles based on the provisions of the General Data Protection Regulation (GDPR) 1 . These are considered to be the most stringent personal data protection principles. Although GDPR harmonised data protection legislation throughout the EU, the opening clauses and additional local legislation within the EU Member States still allow a certain degree of variation. In order to guarantee compliance with all applicable national laws, Worldline has adopted a consistent policy that is obligatory for all of its entities and their employees. Worldline’s Data

Protection Procedures are also managed within Worldline Security Policy, which supports incidents risk mitigation. In case of an intentional action leading to a data breach, disciplinary actions are foreseen by the Code of Ethics. Furthermore, the internal audit planning also covers data protection. In 2020, one audit related to compliance with data protection legislations and internal policies occurred. Eventually, contractual relationship with Suppliers are covered by a Data Processing Agreement or any relevant documentation (joint controllership, data sharing agreements, standard contractual clauses).

1 GDPR is implemented inside the processes. In the Book of intern control (Blue Book), controls have been setup to cover GDPR. Self-assessments and tests are executed annually to assess the risk. The results of the self-assessment and tests generate action plan to improve the processes.

Universal Registration Document 2020

127