Worldline - Registration Document 2016

6

Business Regulation

Rules (or “BCR”) aimed to ensure that all entities worldwide whatever the country they are located in, give a high level of protection to the personal data they process, either as a processor or as a subcontractor processing on behalf of its clients. The BCR constitutes stringent commitments for all Atos and Worldline group entities, whatever the country they are located in (Europe, Latin America, Africa, Asia, etc.), whereby they commit to respect numerous principles related to the personal personal data protection authorities as enabling a high level of data protection, when such data is processed on behalf of the commitments were recognized by a large number of European Group’s clients (subcontracting) or for itself as a processor. They allow Worldline entities to transfer such data out of the data they process. These principles are based on requirements defined by the Personal Data Protection Directive. These European Union to other Atos’ entities in a simplified, easy and secured fashion. acting not only as processors but also as subcontractors (i.e. These commitments are voluntary, unilateral, rare in the IT service industry as they cover both Atos and Worldline entities, when data is processed on behalf of their clients) and demonstrate the focus given to personal data protection.

Worldline Group develops the implementation of these various requirements in order to be prepared for the new requirements Policy related to personal data protection and of the BCR, the that could result from the new European legal framework currently being contemplated. The European authorities have Through the deployment and the implementation of the Group indeed reached an agreement at the end of 2015 on the text of the new Regulation on Personal Data Protection. The May 2018. corresponding EU Regulation (2016/679) was adopted on 27 April 2016 and will enter into force in the European Union on 25

6.9.5.2

Data processing carried out outside the European Economic Area

The Worldline Group carries out personal data processing operations in numerous countries outside of the EEA. Such processing is in some instances conducted on behalf of customers themselves located outside the EEA, while in others it is conducted on behalf of customers located within the EEA to whom the Worldline Group provides “offshore” services as an integral part of the services it offers. Although there is no international regulation that harmonizes all of the principles applicable to personal data protection, the regulatory framework applicable within the EEA is seen as the authority on such matters due to its strict and pioneering nature and the influence it has had on legislation that has emerged in numerous countries that have used it as a model, such as in North Africa, Latin America and Asia. This is why the Atos group, which includes the companies of the Group, chose to adopt and implement the Binding Corporate

72

Worldline 2016 Registration Document