In 2021, Edenred’s cybersecurity unit was verticalized to optimize deployment of the Group’s cybersecurity strategy, speed up the rollout of security projects and extend controls throughout the business scope. The unit serves as a means of ensuring better management of cybersecurity skills and resources throughout the Group. In addition, Edenred has continued the actions initiated in 2020 and continues to strengthen the resilience of its digitalized products and its cyber crisis management capabilities. The Group has undertaken a vast project covering the controls and security of its most critical business applications. It has also enhanced its employee awareness and training capabilities through various actions (e.g. creation of e-learning modules, organization of a week dedicated to cybersecurity, talks by external experts). Finally, Edenred has strengthened its cybersecurity incident detection and response capabilities, including the addition of advanced solutions such as Endpoint Detection & Response to complement existing capabilities like the Security Operation Center (SOC).

Edenred has obtained internationally recognized information security certifications in several countries, such as ISO/IEC 27001 and PCI DSS, which guarantee that these standards are applied within the organization. Today, ten subsidiaries have received certification: Edenred Italy, Edenred Singapore, Edenred Czech Republic, Edenred United Kingdom, Edenred Romania, Edenred Bulgaria, Repom, Punto Clave, Corporate Spending Innovations and PrePay Solutions. Throughout the year, mandatory training was provided to employees via e-learning modules on the EDU platform, covering themes related to the prevention of money laundering, personal data protection, corruption prevention, antitrust and competition law. Priority issue: personal data

Protecting the personal data of Edenred’s clients, users and employees is a priority issue for the Group. This is especially true with the expansion and diversification of its businesses and stricter regulations following the application of the General Data Protection Regulation (GDPR) in Europe and other local legislation outside Europe (see sections Risks related to personal data protection regulations page 73 and 4.1.3 Cybercrime and information system risks from page 76). Edenred has made personal data protection a core priority as it is an opportunity to bolster the trust that corporate clients, employee users and staff members place in the Group.

Edenred appointed a Data Protection Officer (DPO) in 2017 and has launched a compliance project to create tools, processes, governance and organizational structure that allow the Group to optimize the management of personal data and transparency for individuals whose personal data are processed.

A Group compliance program designed by the DPO is being rolled out in several phases. The DPO manages the program and coordinates the work to be carried out through a network of regional and local correspondents within each subsidiary in Europe, as well as subsidiaries from other regions. The DPO also ensures progress among subsidiaries by adapting specific action plans.

A shared compliance tool has been implemented to help subsidiaries, with the support of the DPO, to meet their personal data protection obligations, particularly with regard to the inventory of data processing, data protection impact assessments, the management of privacy rights in relation to the processing of personal data by Edenred, the compliance of websites in relation to cookies, and to enhance coordination between the Group DPO and regional and local representatives.

Educational tools have also been designed for regional and local correspondents and operational staff, to provide them with concrete support in developing projects that comply with regulations on personal data protection.

A data breach response plan was also disseminated so that swift and effective action can be taken in the event of an incident involving personal data. Tools have been implemented, with dedicated support, to aid staff in managing these incidents and meeting the requirements of the competent supervisory authorities.

The Group sets out recommendations to help subsidiaries better understand the purpose and consequences of data protection regulations. The recommendations also guide them in implementing the right processes and procedures to guarantee compliance and to be able to demonstrate its compliance with relevant legislation, in line with the accountability principle.

The Group also takes steps to ensure that subcontractors are held accountable and that any individual involved in processing personal data is provided with clear and available information in line with the requirements of these regulations.

In terms of training and awareness-raising, golden rules on the protection of personal data were circulated in 2020, and a Group e-learning module on the protection of personal data was developed internally to ensure that it is aligned as closely as possible with Edenred’s businesses. Two e-learning modules – one compulsory – have been made available since 2021 to all Group employees. In addition, data protection workshops were led for all new employees as part of the onboarding process. More specific training sessions on personal data were held in 2020 for key players within corporate headquarters and the other Group subsidiaries.