Protection of personal data

The protection of personal data

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – known as the General Data Protection Regulation, or “GDPR” – entered into force on 25 May 2018. Sopra Steria Group and its subsidiaries have rolled out a programme intended to ensure compliance with this regulation and local laws.

This programme is directed by the Group’s Legal Department, which is responsible for coordinating measures to protect personal data processed by Group companies (both for their own purposes and on behalf of their clients).

This programme is underpinned by an organizational and governance structure and a general personal data protection policy. It complements and strengthens the information security policy implemented by the group Sopra Steria.

The organisational and governance structure has two tiers: a group tier and a local (country/entity) tier. Data Protection Officers have been appointed within each of the Group entities concerned. The Group Data Protection Officer relies on this structure to roll out the compliance programme across the Group. 

This programme has the following goals in particular:

  • The rollout of a specific tool to keep records of all processing of personal data by Group entities, both for their own purposes and on behalf of their clients;
  • The implementation of specific procedures to respond to requests received from individuals exercising their rights relating to personal data, including the right of access, the right to rectification, the right to object to processing and the right to remove data across the system, including archived and recorded data:
    • For employees of Group companies,
    • For third parties (for example, job applicants in connection with recruitment procedures),
    • For personal data processed by Group companies under contractual arrangements with their clients, as instructed in writing by the latter;
  • The review of various internal and external media to ensure compliance with legal and regulatory requirements;
  • The provision of standard contracts and clauses covering the protection of personal data in the context of contractual relationships with clients, subcontractors and suppliers;
  • The rollout of a mandatory training module for all existing Group employees and for every new employee;
  • The management of the whistleblowing procedure to report actual or suspected personal data breach.

All external growth transactions involve a due diligence process covering the processing of personal data. Acquired companies are added to this compliance programme upon joining the Group.

In addition, at Sopra HR Software, the Sopra Steria Group’s HR solutions publisher subsidiary, the Binding Corporate Rules (BCR) have been in place within its entities since 2015.

If you have any questions regarding the program or if you wish to exercise your rights, please refer to the information notice corresponding to your situation and accessible at the bottom of the page.