Worldline - 2020 Universal Registration Document

D

EXTRA-FINANCIAL STATEMENT OF PERFORMANCE Building customer trust with reliable, secured, innovative and sustainable solutions

Regarding TC-SI-220a.2 and TC-SI-220a.4, they have not been reported as they are outside the scope of Worldline. First of all, the number of users whose information is used for secondary purpose does not apply to Worldline as it does not carry out secondary purposes. Secondly, for (i) the number of law enforcement requests for user information; (ii) the number of users whose information was requested and (iii) the percentage resulting in disclosure; it mainly concerns companies based in the United-States and/or where American privacy laws apply. Regarding the percentage involving personally identifiable information (PII) (TC-SI-230a.1.), As Worldline is internally monitoring the number or personal data breach in accordance to the GDPR, therefore disclosing the percentage of data breaches (wider scope and a different meaning from the GDPR’s definition) in which personally identifiable information (PII) would constitute a second and potentially conflicting reporting which does not appear to be relevant as the number of personal data breach is already internally monitored and duly registered. Regarding the number of users affected (TC-SI-230a.1), Worldline does not report this specific information. As a matter of fact, Worldline mainly acts a data processor and has not access to users. As it is acting mainly in this capacity, any obligation to disclose the number of users affected lies with its customers acting as data controllers. Regarding TC-SI-220a.3 devoted to the total amount of monetary losses as a result of legal proceedings associated with user privacy, Worldline did not disclose this information as being too sensitive. Regarding the list of countries where core products or services are subject to government-required monitoring, blocking, content filtering or censoring (TC-SI-220a.5), it is not disclosed yet by Worldline but it is intended to be carried out next year. In order to implement this policy, the Worldline Global Data Protection Officer reports directly to the Group Head of Security, Risk & Compliance (SRC). The compliance with personal data protection policies, practices and tools is a fundamental element in the continued implementation and extension of Worldline’s SRC strategy. The Company has established a strong network of data protection officers and coordinators, led by the Worldline Global Data Protection Officer. Close collaboration and regular exchanges within this network of experts ensures governance for the data Worldline Data Protection Officer D.2.4.2.2 network

processing of both Worldline’s employees and its customers. This network of officers and local coordinators aims to support the implementation of the requirements in all activities related to data protection: in the daily routines, proceedings and processing activities, both on company and local level. Thus, Worldline manages the data protection of its organisation led by the Global Data Protection Officer, to assure overall compliance to data protection regulations and a reporting to the highest management level. Worldline Data Protection D.2.4.2.3 commitments Worldline structured its data protection policy to focus on and achieve the following commitments: Ensure data protection as standard in Worldline solutions ● to address data protection already during design and as a default. Defined procedures ensure “Privacy by design”, the fact that privacy is embedded in all processing of personal data by Worldline and as early as possible in the design stage. As a result, Worldline implements data protection by design and by default, taking into account the nature, scope and context of the processing activity as well as possible risks and state of the art technologies; Achieve 100% of Compliance Assessment of Data ● Processing performed for all active processing activities by 2020 (part of TRUST 2020 commitment) to ensure adequate measures to protect personal data in Worldline’s systems. The deployment and use of practical and effective tools such as Compliance Assessment of Data Processing has allowed Worldline to comply fully with its data protection obligations. Worldline assessed the overall inventory of processing activities and already covered most of these by Compliance Assessment of Data Processing. In 2020, 99.7% of all processing activities have been covered by Compliance Assessment of Data Processing. At the same time Worldline started preparation to roll out an overall Data Protection management tool, also covering Compliance Assessment of Data Processing, in 2020; Train 100% of the Company’s employees on a yearly basis ● regarding security and data protection. Worldline has developed a training programme targeting all Worldline’s employees to create general awareness on the topic as well as more specific trainings to point out the issues employees face in their particular domain of expertise. In 2020, 91% of Worldline employees attended mandatory online training programmes related to personal data protection 1 .

1 Given the pandemic situation, the completion period has been exceptionally extended until the end of January.

128

Universal Registration Document 2020