6

Business

Regulation

72

Worldline

2016 Registration Document

Worldline Group develops the implementation of these various

requirements in order to be prepared for the new requirements

Policy related to personal data protection and of the BCR, the

indeed reached an agreement at the end of 2015 on the text of

the new Regulation on Personal Data Protection. The

that could result from the new European legal framework

currently being contemplated. The European authorities have

May 2018.

corresponding EU Regulation (2016/679) was adopted on 27

April 2016 and will enter into force in the European Union on 25

Through the deployment and the implementation of the Group

Data processing carried out outside

6.9.5.2

the European Economic Area

The Worldline Group carries out personal data processing

customers themselves located outside the EEA, while in others it

is conducted on behalf of customers located within the EEA to

operations in numerous countries outside of the EEA. Such

processing is in some instances conducted on behalf of

whom the Worldline Group provides “offshore” services as an

integral part of the services it offers.

Although there is no international regulation that harmonizes all

authority on such matters due to its strict and pioneering nature

and the influence it has had on legislation that has emerged in

of the principles applicable to personal data protection, the

regulatory framework applicable within the EEA is seen as the

numerous countries that have used it as a model, such as in

North Africa, Latin America and Asia.

This is why the Atos group, which includes the companies of the

Group, chose to adopt and implement the Binding Corporate

Rules (or “BCR”) aimed to ensure that all entities worldwide

whatever the country they are located in, give a high level of

protection to the personal data they process, either as a

processor or as a subcontractor processing on behalf of its

clients.

personal data protection authorities as enabling a high level of

data protection, when such data is processed on behalf of the

commitments were recognized by a large number of European

European Union to other Atos’ entities in a simplified, easy and

secured fashion.

Group’s clients (subcontracting) or for itself as a processor. They

allow Worldline entities to transfer such data out of the

The BCR constitutes stringent commitments for all Atos and

Worldline group entities, whatever the country they are located

data they process. These principles are based on requirements

defined by the Personal Data Protection Directive. These

in (Europe, Latin America, Africa, Asia, etc.), whereby they

commit to respect numerous principles related to the personal

acting not only as processors but also as subcontractors (i.e.

These commitments are voluntary, unilateral, rare in the IT

service industry as they cover both Atos and Worldline entities,

when data is processed on behalf of their clients) and

demonstrate the focus given to personal data protection.