Worldline - Registration Document 2016

6

Business Regulation

Compliance with technical standards

6.9.4

banking associations, banks, processors, etc.). This system thus (payment terminal manufacturers, regulatory bodies, retailers, standards and the rules established to implement them. The allows companies to participate in the development of standardization. Group participates in the European working group on protocol By way of example, the Group has obtained the PCI-DSS for its secure online payment platform and its Pay-lib service (Payment Card Industry – Data Security Standard) certification that the cardholder’s confidential data as well as any sensitive (cloud-based electronic wallet). This standard aims to ensure and databases level. transaction data are always securely processed at the systems such as ISO 9001, which relates to requirements for quality The Group is also subject to international certification standards management systems and ISO 14001 which relates to Lastly, the Group is subject to international security environmental requirements for technological infrastructure. card security, established by the Europay MasterCard Visa User requirements such as the international standard for payment Group (“EMV User Group”), in which the Group participates. number of measures prior to and at the time the relevant data is processing functions in an EEA member state, to put in place a collected, while it is stored and until it is erased. According to the with others, determines the purposes and means of the Personal Data Directive, the person or entity that, alone or jointly subcontractor acting on behalf of a third-party), is considered to processing of personal data (as opposed to a simple be a “data controller”. With respect to each of its activities that involve personal data analysis on a case by case basis in order to determine whether it processing, each Worldline Group entity in Europe conducts an is acting in a data controller or subcontractor capacity. (for instance those entities that handle employees’ personal data or anti-fraud measures), it is subject to the following obligations: Where a Worldline Group entity functions as a data controller to satisfy the criteria set forth in the Personal Data Directive ● among others, that the person concerned has given his or for making data processing legitimate, which include, for the purposes of pursuing a legitimate interest or for the her consent or the processing of personal data is necessary a party; performance of a contract to which the person concerned is to ensure that the personal data is (i) processed fairly and ● purposes, and proportionate for such processing and/or lawfully, collected for specific, explicit and legitimate kept up-to-date; collecting purposes, and (ii) accurate and, where necessary,

applies to devices that require the entry of a PIN. The aim of this Entry Device standard (“PCI-PTS,” formerly PCI-PED), which always processed by payment acceptance devices in a manner standard is to guarantee that cardholders’ confidential PINs are transaction security. Other PCI-SSC standards have emerged, that is fully-secured and to ensure the highest level of payment Standard) aimed at preserving the confidentiality of payment including PCI-DSS (Payment Card Industry – Data Security unattended payment modules). The development of these transaction data and PCI-UPT (security standard specific to apply to the various components of payment card transactions. security by adopting a broad range of specific standards that The main such standard is the Payment Card Industry – PIN requirements, is managed by the PCI-SSC’s founding members: standards, which requires continual modifications to existing consultation with other electronic payment industry players Visa, MasterCard, JCB, American Express and Discover in Payment services providers, and, in particular, terminal standards, including, in particular, standards established by the manufacturers must comply with a number of security These security standards seek to improve payment card data Payment Card Industry – Security Standard Council (“PCI-SSC”).

Protection of personal data

6.9.5

In connection with its business activities, the Worldline Group protection laws and regulations in Europe as well as in other collects and processes information subject to personal data data processing is carried out on behalf of both Worldline Group regions in which the Worldline Group operates. Such personal companies themselves and their customers.

6.9.5.1

Personal data processing within the

European Economic Area

Directive 95/46/CE of October 24, 1995 (the “Personal Data regulation within the European Economic Area (the “EEA,” which Directive”) is the point of reference for personal data protection Liechtenstein). In France, the Personal Data Directive was includes the European Union, Iceland, Norway and January 6, 1978, which relates to information technology, filing implemented through various amendments to law no. 78-17 of been adopted through law no. 2004-801 of August 6, 2004. system and civil liberties, with the main amendment having non-automated personal data processing when the relevant The Personal Data Directive applies to automated or data is included or is meant to be included in a filing system. natural person who has been identified or is identifiable directly “Personal data” is broadly defined as all information relating to a nationality. The Personal Data Directive requires persons and or indirectly, regardless of his or her country of residence or incorporated in an EEA member state or have recourse to data entities responsible for processing personal data that are either

70

Worldline 2016 Registration Document