Worldline - Registration Document 2016

Business Regulation

modification or dissemination, or malicious or unlawful access provided, especially against accidental loss, unauthorized exclusive instructions and for no other purpose than those and (ii) process such data in accordance with the client’s established by such client. Although the law applicable to personal data has to a large extent been harmonized throughout the EEA, the member states has given rise to a certain degree of variation implementation of the Personal Data Directive by the EEA some of which are more restrictive than those established by among the regulatory regimes that have been established, and harmonized approach respecting the applicable national laws, the Personal Data Directive. In order ensure a coordinated and data protection (AP17 policy)” that is applicable to all of its the Atos group has adopted a “Group Policy related to personal Group. This policy is founded on three key pillars: entities and their employees, including those of the Worldline a set of principles based on those set forth in the Personal (i) Data Directive; a set of procedures that ensure that such principles are (ii) implemented; and a training program for all Group employees, tailored to their (iii) positions and responsibilities. The Group’s compliance with the various national laws and ensured and managed by an department dedicated to personal effective implementation of the above-described policy is data protection, relying on a twofold legal and technical and designated paralegals in each Worldline Group entity, expertise, comprising in a network of Data Protection Officers that are coordinated at Atos group level by the Group Data resulting in Local Offices dedicated to personal data protection Protection Officer, responsible for the Global Office. The measures described above were also put in place in being discussed. On January 25, 2012, the European anticipation of the new European legal framework currently current Personal Data Directive that would establish a new legal Commission proposed a draft regulation intended to replace the framework applicable to all companies that process personal of the draft regulation are the following: data on European territory. Among the more significant aspects require data controllers to implement internal rules and the introduction of a principal of accountability, which would ● each of their clients, the persons concerned and the mechanisms intended to guarantee and demonstrate to personal data that they are in compliance with the authorities in charge of monitoring the protection of regulation; representative in the European Union where the data a requirement to appoint a personal data protection ● controller is not established in the European Union; a requirement to carry out impact studies relating to data ● potential risks; and protection before processing operations that present violations and, in particular, security breaches. a requirement to provide notifications of personal data ●

implementing the Personal Data Directive (for instance the person concerned or of another person, or when the when processing is necessary to defend the vital interests of by the person concerned or is necessary to recognize, processing relates to data that was manifestly made public exercise or defend a right before courts); permit such processing as provided for in applicable law that the processing is based on one of the exceptions that destruction, accidental loss or unauthorized modification, protect personal data against accidental and unlawful dissemination or access; except in certain instances set out in the Personal Data ● that their personal data is being processed, (b) the identity of Directive, to inform the persons concerned of (a) the fact controller (d) the purpose of the data processing, and (e) the recipients of the data, (c) the identity of the data their right to object to such processing (and, as the case their access and rectification rights and, in certain cases, may be, allow them to enforce these rights); to retain personal data for a term that does not exceed the ● time required for the purposes of the processing thereof; unless the European Commission considers that the to refrain from transferring personal data outside of the EEA ● the transfer is governed by contractual clauses of the type recipient country ensures an adequate level of protection or should be noted that, in November 2013, the Atos group was established by the European Commission. In this respect, it “Binding Corporate Rules” (or “BCR”) both as a processor and the first IT service company to obtain the validation of its validation are detailed in Section 6.9.5.2. as a subcontractor. The positive consequences of this to carry out the formalities required by the relevant national ● the Commission nationale de l’informatique et des libertés in authorities that regulate personal data protection (such as formalities vary according to national laws and can range France) prior to effecting data processing operations; these maintenance of an internal register, to a requirement to from a simple declaration to an authority or the certain types of processing activities (e.g., medical data procure an authorization or license prior to undertaking hosting in France). such obligations may result in administrative, civil or criminal Depending on the country, the violation by a data controller of legal persons in France. sanctions, including fines that may amount up to € 1.5 million for “subcontractor” within the meaning of the Personal Data In respect of its other activities, the Group acts in a capacity as which its clients entrust it and in respect of which such clients Directive. In such cases, the Group processes personal data with above-described obligations applicable to data controllers apply are the sole data controllers. In such instances, the to take particular precautions before processing sensitive ● explicit consent of the person concerned was received or data (e.g., health or biometric data) such as checking that the to put in place technical and organizational measures to ● only to such clients. However, the Group nevertheless provides organizational measures to protect the personal data they have guarantees to its clients that it will (i) put in place technical and

6

71

Worldline 2016 Registration Document

Made with