Worldline - 2020 Universal Registration Document

DESCRIPTION OF THE GROUP’S BUSINESS Worldline: a regulated Group

The measures described above have been put in place to comply with GDPR. Continuous improvements and regular synchronization with the Group Data Protection Community ensures consistent compliance.

condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include contractual arrangements with the recipient of the personal data, using, the standard contractual clauses approved by the European Commission (Standard Contractual Clauses). These contractual clauses allow Worldline entities to transfer such data out of the European Union to other Group entities in a secured fashion and with appropriate safeguards. The European Court of Justice (“ECJ”) issued on July 16, 2020 a landmark ruling that invalidated the EU – US Privacy Shield Framework (“Privacy Shield”) in Case C-311/18 (“Schrems II”). The focus of the Court’s concern did not relate to the commercial aspects of Privacy Shield ( e.g. , the substantive privacy rules followed by participating US companies) but rather to the ability of US intelligence agencies to gather data under current US law and practice without providing sufficient privacy protections for EU residents The Court of Justice judgment has wider implications than the invalidation of an EU-US transfer mechanism itself. It raised an increased burden of accountability This decision is impacting for Worldline and a global review of its contracts has been engaged with the Group sub-contractors transferring data to the US. With the acquisition of Ingenico Group with affiliates all across the globe, Worldline has put in place a roadmap of steps to ensure compliance with GDPR level of protection of personal data in accordance with the European Data Protection Board (“EDPB”) guidelines and the supplementary measures following Schrems II.

Data processing carried out C.4.4.2

outside the European Economic Area

The Worldline Group carries out personal data processing operations in numerous countries outside of the EEA. Such processing is in some instances conducted on behalf of customers themselves located outside the EEA, while in others it is conducted on behalf of customers located within the EEA to whom the Worldline Group provides “offshore” services as an integral part of the services it offers. Although there is no international regulation that harmonizes all of the principles applicable to personal data protection, the regulatory framework applicable within the EEA is seen as the authority on such matters due to its strict and pioneering nature and the influence it has had on legislation that has emerged in numerous countries that have used it as a standard, such as in North Africa, Latin America (Brazil with the LGPD that comes into force) and Asia (draft Bills in India, China). The protection offered by the GDPR travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data lands The GDPR provides different tools to frame data transfers outside of the EEA and through the provision of appropriate safeguards and on

C

Universal Registration Document 2020

73