CAPGEMINI_REGISTRATION_DOCUMENT_2017

CORPORATE GOVERNANCE - RISKS{AND INTERNAL{CONTROL

2.5 Risks and internal control

d. Legal risks Capgemini Group provides a range of services to its clients who in turn operate in a variety of business sectors. All services relating to a given project are covered by contracts signed with our clients as well as our suppliers and sub-contractors (software, IT hardware, host sites, etc.) when implementing tailored solutions. Each contract may be governed by specific regulations that could negatively impact our activities. Other factors such as the size and geographic locations of the Group also expose it to legal and tax risks. Risk analysis The acceptance of unfavorable conditions, such as unlimited liability in certain circumstances, comprises a risk. Contractual risks may notably arise when the Group's liability for failing to fulfill certain obligations is unlimited, on the acceptance of financial guarantees, when there is no liability protection clause in relation to services affecting health and safety or the environment, and when the rights of third parties are not respected. Risk management systems The Group has established a Contract Clause Negotiating Guide, which identifies clauses exposing the Group to risk and requires information to be reported to the Legal Department and its approval in the event of derogation from accepted standard positions. Criteria determining when it is necessary to report to the Group Review Board have also been defined for contracts identified by the Group as presenting a high level of risk due to their size or complexity. In this context, the Group Review Board is the only entity authorized to approve derogatory clauses following a thorough review of the potential impacts. Risk analysis The Group is a multinational company operating in several countries and providing services to clients who, in turn, operate around the world and are subject to numerous and constantly changing laws and regulations. These mainly include, for example, anti-corruption laws, import and export controls, anti-trust laws, sanctions, immigration rules, safety obligations and employment legislation. The sheer diversity of local laws and regulations applicable and the constant changes therein, exposes the Group to a risk of infringement of such laws and regulations by under-informed employees especially those working in countries that have a different culture to their own - and to the risk of indiscretion or fraud committed by employees. As stringent as they may be, the legal precautions taken by the Group both at a contractual and an operational level to protect its activities or to ensure adherence by employees to internal rules can only provide reasonable assurance and never an absolute guarantee against such risks. Contracts Compliance with legislation

Risk management systems The Group has a Legal Department with an established presence in the main geographic areas. Its role is to monitor changes in legislation relevant to the Group's activities and provide training in the main legal issues. The Group has also adopted a Code of Business Ethics and an anti-trust policy and calls on a network of Legal Counsels who double-up as Ethics & Compliance Officers and participate in identifying risks and train and monitor employees in order to guarantee compliance. In addition, drawing on employee commitment to the Group’s values, first among which honesty and trust, on a global risk management and mapping system at Group level and on the countries that have developed specific systems in response to local legislative requirements, Capgemini continues to implement measures and procedures to prevent and detect, in France and elsewhere, acts of corruption or influence peddling. In particular, it has introduced an awareness-raising and training program, a code of conduct, an internal whistle-blowing system and third-party assessment procedures in order to satisfy the requirements of French Law no. 2016-1691, known as the “Sapin 2” Law.{Measures to ensure compliance with obligations introduced by French Law no. 2017-399 of March{27, 2017 on the duty of care of parent and sub-contracting companies, fall within the same framework. Risk analysis While the Group's activities are not generally regulated, certain of our clients' activities, particularly in the financial sector, sometimes require us to comply with regulations imposed on them, or in rare cases, make us comply with other regulations. Due to the nature of its activities, the Group must comply with various international and local regulations regarding data privacy protection. The Group could be held liable in the event of voluntary or involuntary disclosure of all or part of personal data belonging to a client or third-party. Even if measures are taken to limit any negative impact on our activities or our reputation of non-compliance with regulations governing our activities, failure to take account of regulations or an error in interpreting such regulations, would expose the Group to financial and reputation risks. Risk management systems To ensure compliance with regulations applicable to its clients, the Group analyses the related obligations, which are then monitored by teams in the Production/Methods and Support Department. This analysis also enables the identification of regulated activities and, where appropriate, any necessary authorizations to be obtained. In March{2016, with regards to the various international and local regulations governing the protection of personal data, the CNIL, acting on behalf of European Union data privacy protection authorities, approved Capgemini’s Binding Corporate Rules (BCR) defining the processing of personal data by the Group throughout the world, on its own behalf and for its clients. The BCR are a key component of the Group’s policy for preparing for the application of the new European Directive on the protection of personal data, that enters into effect on May{25, 2018. Failure to comply with regulations governing our{activities

2

113

REGISTRATION DOCUMENT 2017 — CAPGEMINI