Table of Contents Table of Contents
Previous Page  71 / 354 Next Page
Information
Show Menu
Previous Page 71 / 354 Next Page
Page Background

6

Business

Regulation

71

Worldline

2016 Registration Document

implementing the Personal Data Directive (for instance

the person concerned or of another person, or when the

when processing is necessary to defend the vital interests of

by the person concerned or is necessary to recognize,

processing relates to data that was manifestly made public

exercise or defend a right before courts);

to take particular precautions before processing sensitive

explicit consent of the person concerned was received or

data (e.g., health or biometric data) such as checking that the

permit such processing as provided for in applicable law

that the processing is based on one of the exceptions that

to put in place technical and organizational measures to

destruction, accidental loss or unauthorized modification,

protect personal data against accidental and unlawful

dissemination or access;

except in certain instances set out in the Personal Data

that their personal data is being processed, (b) the identity of

Directive, to inform the persons concerned of (a) the fact

controller (d) the purpose of the data processing, and (e)

the recipients of the data, (c) the identity of the data

their right to object to such processing (and, as the case

their access and rectification rights and, in certain cases,

may be, allow them to enforce these rights);

to retain personal data for a term that does not exceed the

time required for the purposes of the processing thereof;

unless the European Commission considers that the

to refrain from transferring personal data outside of the EEA

the transfer is governed by contractual clauses of the type

recipient country ensures an adequate level of protection or

should be noted that, in November

2013, the Atos group was

established by the European Commission. In this respect, it

“Binding Corporate Rules” (or “BCR”) both as a processor and

the first IT service company to obtain the validation of its

validation are detailed in Section 6.9.5.2.

as a subcontractor. The positive consequences of this

to carry out the formalities required by the relevant national

the Commission nationale de l’informatique et des libertés in

authorities that regulate personal data protection (such as

formalities vary according to national laws and can range

France) prior to effecting data processing operations; these

maintenance of an internal register, to a requirement to

from a simple declaration to an authority or the

certain types of processing activities (e.g., medical data

procure an authorization or license prior to undertaking

hosting in France).

such obligations may result in administrative, civil or criminal

Depending on the country, the violation by a data controller of

legal persons in France.

sanctions, including fines that may amount up to €

1.5 million for

only to such clients. However, the Group nevertheless provides

organizational measures to protect the personal data they have

guarantees to its clients that it will (i) put in place technical and

modification or dissemination, or malicious or unlawful access

provided, especially against accidental loss, unauthorized

exclusive instructions and for no other purpose than those

and (ii) process such data in accordance with the client’s

established by such client.

“subcontractor” within the meaning of the Personal Data

In respect of its other activities, the Group acts in a capacity as

which its clients entrust it and in respect of which such clients

Directive. In such cases, the Group processes personal data with

above-described obligations applicable to data controllers apply

are the sole data controllers. In such instances, the

member states has given rise to a certain degree of variation

implementation of the Personal Data Directive by the EEA

some of which are more restrictive than those established by

among the regulatory regimes that have been established, and

harmonized approach respecting the applicable national laws,

the Personal Data Directive. In order ensure a coordinated and

data protection (AP17 policy)” that is applicable to all of its

the Atos group has adopted a “Group Policy related to personal

Group. This policy is founded on three key pillars:

entities and their employees, including those of the Worldline

Although the law applicable to personal data has to a large

extent been harmonized throughout the EEA, the

a set of principles based on those set forth in the Personal

(i)

Data Directive;

a set of procedures that ensure that such principles are

(ii)

implemented; and

a training program for all Group employees, tailored to their

(iii)

positions and responsibilities.

and designated paralegals in each Worldline Group entity,

expertise, comprising in a network of Data Protection Officers

that are coordinated at Atos group level by the Group Data

resulting in Local Offices dedicated to personal data protection

Protection Officer, responsible for the Global Office.

The Group’s compliance with the various national laws and

ensured and managed by an department dedicated to personal

effective implementation of the above-described policy is

data protection, relying on a twofold legal and technical

framework applicable to all companies that process personal

of the draft regulation are the following:

data on European territory. Among the more significant aspects

The measures described above were also put in place in

being discussed. On January

25, 2012, the European

anticipation of the new European legal framework currently

current Personal Data Directive that would establish a new legal

Commission proposed a draft regulation intended to replace the

require data controllers to implement internal rules and

the introduction of a principal of accountability, which would

each of their clients, the persons concerned and the

mechanisms intended to guarantee and demonstrate to

personal data that they are in compliance with the

authorities in charge of monitoring the protection of

regulation;

representative in the European Union where the data

a requirement to appoint a personal data protection

controller is not established in the European Union;

a requirement to carry out impact studies relating to data

potential risks; and

protection before processing operations that present

violations and, in particular, security breaches.

a requirement to provide notifications of personal data

I 66 67 68 69 70 71 72 73 74 75 76 77 IV