SOLOCAL_Registration Document_2017

3

CORPORATE SOCIAL RESPONSIBILITY 3.4 Societal responsibility

Requests received to amend or delete personal data at 31/12

PagesJaunes

2015

2016

2017

Requests received by Customer Service: Requests for deletion (Do-Not-Call ex - Directory list integration) Requests for modifications (No-advertizing list, PagesBlanches, aerial views)

20,609 27,973

21,376 31,195

33,485 46,636

Requests received directly by the DPC Requests received by the DPC from CNIL

219

255

185

8

2

3

The DPC team continues to publish brief information on its Intranet site, in particular, on the general regulation on data protection (GDPR), cloud computing or on data transfers outside the European Union, as well as briefs related to the news (cancellation of Safe Harbor, validation of Privacy Shield, etc.). In Spain, QDQ raises the awareness of its new employees, during their initial training, to the importance of the security of personal data. A section of the intranet is dedicated to information related to the GDPR. Internal and external audits of “personal data” In 2010, the CNIL carried out checks on the “web crawl” service launched in March 2010, which was intended to supplement the response list of the pagesblanches.com directory with referenced responses on the public profiles of the main social networks. The Commission nationale de l’informatique et des libertés has issued a public warning to SoLocal Group, following which an appeal was lodged by SoLocal Group before the Council of State. This appeal was dismissed on 12 March 2014. The Hamon Act on Consumer Protection No. 2014-344 dated 17 March 2014 amended the French Data Protection Act and enabled the CNIL to conduct inspections and audits online and note failure to comply with the French Data Protection Act remotely, from a computer connected to the Internet. In this context, in October 2014 the CNIL began to perform remote audits to check the compliance of website operators, including various online publishers (including some of the Group’s subsidiaries), as recommended on 5 December 2013. These audits covered the placement of cookies upon initial page display in particular, the relevance of the data collected, verification that claimed procedures were in place, compliance with information obligations and data security. These audits continued in 2015 and 2016; the DPC team sent its new recommendations to those responsible for the Group’s websites on respect for private life through the user information (cookie banner, information on personal data collection forms, introduction of policy on the protection of private life, etc.) and on the need to observe the rules on data security: non-storage and transfer of plaintext passwords.

The 2017 figures, up from 2016, reflect a greater sensitivity of citizens to the dissemination of their data in directories: +57% of applications for inclusion in the Do-Not-Call list (liste rouge) and +37% for changes to personal data. 2.4 days were allowed in 2017 to process requests to delete personal data (excluding requests handled directly by the DPC). For requests to modify data, this processing time was 3.1 days. Despite the strong growth in demand, the processing time remains almost stable. In-house “personal data” training Ensuring that the Group’s activities comply with the Law requires that employees who manipulate personal data or create services based on such data be fully trained on their legal obligations. It is in this context that the DPC team provides ad hoc and recurring training for the Company’s employees. The year 2017 was marked by acceleration in training offered by the DPC team, in the context of the imminent onset of the General Data Protection Regulation (GDPR). This involves many changes to the rules on the protection of personal data, and requires rigorous training for all the Group’s employees who process personal data. To this extent, a program to bring the Group into compliance with the GDPR was launched with the Group’s General Secretary as sponsor. In addition, during the year 2017, training was provided mainly to: technical teams who were trained in the security requirements l for personal data, including the need to adopt a risk-based approach to determine the security measures that guarantee privacy protection of those concerned; all of the Group employees as part of a programme on the l protection and security of personal data (Product Friday). A video of this event is available on the Group’s website; some business lines that were specifically trained in the new l general regulations on the protection of personal data, including marketing teams, staff in charge of conducting studies, and the Human Resources department; specific training courses were organised as part of the Group’s l GDPR compliance program.

72

2017 Registration Document SOLOCAL