Worldline - 2020 Universal Registration Document

C

DESCRIPTION OF THE GROUP’S BUSINESS Worldline: a regulated Group

necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data, and (l) if applicable the existence of automated decision-making, including profiling; To refrain from transferring personal data outside of the ● EEA unless the European Commission considers that the recipient country ensures an adequate level of protection or the transfer is governed by contractual clauses of the type established by the European Commission; To only use data processors providing sufficient ● guarantees to implement appropriate technical and organizational measures; To maintain a record of processing activities as data ● controller; To follow the principles of data protection by design and ● data protection by default when designing solutions and preparing processing activities. The infringement by a data controller or by a data processor may result in administrative, civil or criminal sanctions, including fines up to € 20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In respect of activities performed under instruction of a controller, the Group entities act as “data processor” within the meaning of GDPR. In such cases, the Group entity processes personal data with which its clients entrust it and in respect of which such clients are the data controllers. In such instances, the above-described obligations applicable to data controllers applyon ly to such clients. However, the Group nevertheless provides guarantees to its clients that it will (i) put in place technical and organizational measures to protect the personal data they have provided, especially against accidental loss, unauthorized modification or dissemination, or malicious or unlawful access and (ii) process such data in accordance with the client’s exclusive instructions and for no other purpose than those established by such client. The Group especially fulfills the following obligations: To process such data in accordance with the client’s ● exclusive documented instructions and for no other purpose than those established by such client; To put in place technical and organizational measures to ● protect personal data against accidental and unlawful destruction, accidental loss or unauthorized modification, dissemination or access, taking into account measures like pseudonymization and encryption of personal data, ensuring availability thereof and implementing a process for regularly testing, assessing and evaluating the effectiveness of these technical and organizational

measures. These technical and organizational measures are part of the instruction of the controller; To not engage any other sub-processor without prior ● specific or general written authorization of the data controller; To assist the data controller in ensuring compliance with ● the relevant obligations of GDPR; At the choice of the data controller, to delete or to return ● all the personal data to the data controller after the end of the provision of services relating to processing, and to delete existing copies; To make available to the data controller all information ● necessary to demonstrate compliance with the relevant obligations of GDPR; To maintain a register of processing activities as data ● processor; To follow the principles of data protection by design and ● data protection by default when designing solutions and preparing processing activities. Although by introducing GDPR the law applicable to personal data has to a large extent been harmonized throughout the EEA, the opening clauses within the Regulation still allow a narrow range of national variations within data protection legislation and regulatory instances. In order to ensure a coordinated and harmonized approach respecting the applicable national laws, the Group has adopted a policy related to personal data protection that is applicable to all of its entities and their employees, including those of the Worldline Group. This policy is founded on three keypi llars: A set of principles based on those set forth in GDPR; (i) A set of procedures that ensure that such principles are (ii) implemented; and A training program for all group employees, tailored to (iii) their positions and responsibilities. To comply with requirements regarding notification of Data Protections Authorities as well as data subjects in the case of personal data breach, the Group has implemented a process for personal data breach notification built on the Group’s policy related to personal data protection. The Group’s compliance with the various national laws and effective implementation of the above-described policy is ensured and managed by a personal data protection network, relying on a twofold legal and technical expertise, comprising Data Protection Officers and designated paralegals in each Worldline Group entity, resulting in Local Offices dedicated to personal data protection that are coordinated by the Global Data Protection Officer, in charge of the PrivacyO ffice and reporting to the Head of Group Compliance.

72

Universal Registration Document 2020