Worldline - 2020 Universal Registration Document

EXTRA-FINANCIAL STATEMENT OF PERFORMANCE Ensuring business ethics within our value chain

Specific compliance in the health D.4.2.3.2 industry Worldline’s activity in the e-health sector is reflected in services that include the development of information systems that process and host personal health data. This data is particularly critical since it is confidential and personal information, as highlighted in the GDPR (refer to Section D.2.4): “personal data relating to the physical or mental health of a person, including the providing health care services, which reveals information about the state of health of that person” 1 . The software development and hosting activities related to these sensitive data require a specific compliance with a normative and regulatory framework. Since 2009, Worldline participates to and integrates definitions of several standards in the software development, interoperability and security of health e-services, in synergy with the French digital health agency ( Agence du Numérique en Santé or ANS). The French Health Information Systems Interoperability Framework (CI-SIS) is among the main standards that have emerged, as well as the health information systems security policy (PGSSI-S). Since 2005, Worldline has also participated several times in the “IHE Connectathon”, an annual European meeting which approves the interoperability of the developed solutions and allows displaying true expertise in interoperability.

The Company conducts a systematic and continuous monitoring of these standards, their evolution and their implementation, to ensure its customers the guarantee of compliance with the state of the art, and the control of these standards by Worldline’s experts. For instance, references and solutions developed by Worldline include three computer security standards that became applicable in 2018: The “INS-C” referencing, the “DMP-Compatibility” certification (intended to validate the software’s ability to interface with the shared medical record (DMP) implemented by the CNAM) and the “computer assisted prescription software” certification, obtained for two applications in order to secure medication prescriptions in addiction centres on the one hand, and in maternal and child health centres on the other hand. In 11/2017, then in 08/2020, CNAM entrusted Worldline with the generalisation of the DMP for all French citizens. Thus, Worldline Group has been one of the first providers as from 2010 to be granted authorisation for the hosting of personal health data (HDS approval). In 2019, several approvals were operational through various projects operated by Worldline. The Company also took part in consultation processes driven by ANS in order to build a certification reference system based on its own feedback and pragmatic bases. Thus, Worldline renewed in 2019 its authorisation and got this new certification for personal health data hosting (based on the new HDS requirements framework from ANS). sanctions for non- compliance with laws and regulations in 2020. It received no complaint from customers or suppliers related to corruption. To prevent risks, it is based on several policies: Assessment of partners’ ethical behaviour: any ● intermediaries, consortium partners or consultants assisting Worldline in developing/retaining its business are screened before the beginning of any business relationship: their behaviour and knowledge of ethics are essential criteria that are checked upstream all relationships; Worldline’s business related fraud risk management: ● Worldline Group, as an issuer processor, has put in place all necessary measures, in accordance with best practices ( e.g. PCI certification) to minimise the risk of data breaches. As a commercial acquirer, the Group must ensure compliance with payment security rules established by the organisations that issue PCI certifications and address money laundering risks. The Group’s fraud risk management department has implemented various policies and procedures to address these risks. For example, Worldline SA/NV, the Group’s Belgian subsidiary, has an anti-money laundering (AML) policy in place since 2011 (overseen by the local banking regulator). It sets out the general principles of AML, the “Know Your Customer” (KYC) principle as applied at Worldline SA/NV, and the allocation of responsibility between the Sales and Marketing (S&M)

D

Fight against bribery and corruption [GRI 103-1 Anti-corruption] D.4.3 [GRI 103-1 Socio-economic compliance] [GRI 103-2 Anti-Corruption] [GRI 103-2 Indirect Economic Impacts] [GRI 419-1] [GRI 207-1 Approach to tax] [GRI 207-4 country by country reporting]

Policies against corruption D.4.3.1 and against fraud in general [GRI 102-17]

[GRI 103-2 Anti-Corruption] [GRI 103-2 Indirect Economic Impacts] [GRI 103-2 Indirect Economic Impacts] [GRI 207-1 Approach to tax] [GRI 207-2 Tax governance, control, and risk management] [GRI 207-3 Stakeholder engagement and management of concerns related to tax] [GRI 207-4 country by country reporting]

As a signatory of the United Nations Global Compact since 2016, and with the appointment of Worldline to the Board of Directors of the Global Compact France in 2020, Worldline has implemented several internal policies and processes to prevent compliance risks such as bribery, corruption, violations of competition laws, export control laws, and fraud in general all along its value chain. The following policies are applied throughout the Company. Thanks to these measures, Worldline was not subject to any claims, penalties or major

1 Article 4(15) GDPR.

Universal Registration Document 2020

177