Protection of personal data

Personal Data Protection within the Sopra Steria Group

Sopra Steria Group is committed to protecting the privacy and security of personal information it holds and processes in accordance with applicable Data Protection laws, in particular with Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”). To this end, Sopra Steria Group has set up a Governance Model for the protection of personal data which is applicable across all subsidiaries to ensure compliance with the requirements of the EU Regulation and other applicable laws.  

This Governance Model has been drawn up by the Group’s Legal Department, which also oversees its practical implementation and coordinates the measures taken to ensure protection of personal data processed by Sopra Steria Group’s subsidiaries (both for their own purposes and on behalf of third parties). The Governance Model provides for: 

  • A well-defined organisational structure with clear roles and responsibilities;
  • The “Group Data Protection Compliance Programme”, made of appropriate policies, procedures, tools and contractual instruments to be implemented locally in each subsidiary.

The organisational structure has two levels: a group level and a local level (country/entity). Data Protection Officers or SPOCs have been appointed in each of the Group subsidiaries. The Group Data Protection Officer relies on this structure to oversee the implementation of the Group Data Protection Compliance Programme throughout the Group.

The Group Data Protection Compliance Programme has the following objectives in particular:

  • The rollout of specific tools to keep track of all processing of personal data carried out by the Group subsidiaries, both for their own purposes and on behalf of third parties;
  • The implementation of specific procedures to report and manage any suspected or actual personal data breaches that may occur within the Sopra Steria Group;
  • The provision of adequate information notices for each category of data subjects whose data are or may be processed by Sopra Steria (e.g. employees, candidates, clients, suppliers..);
  • The review of various internal and external media to ensure compliance with legal and regulatory requirements;
  • The provision of standard contracts and clauses governing the protection of personal data in the context of contractual relationships with clients, subcontractors and suppliers;
  • The definition of a specific methodology to perform risks assessments on restricted data transfers to third countries outside the EU/EEA;
  • The rollout of a mandatory training module for all existing Group employees and for every new employee joining the Group;
  • The organisation of periodical checks and audit missions on the progress and implementation of the Data Protection Compliance Programme. 

All external growth operations include a due diligence process for the processing of personal data. Acquired companies are required to apply the Group Data Protection Governance Model and to conform with the Group Data Protection Compliance Program upon joining the Group.

If you have any questions about the Governance Model or any of its components, please refer to the relevant document at the bottom of this page. If, on the other hand, you have questions relating to the processing of your personal data by Sopra Steria or you wish to exercise your rights, please refer to the specific notice applicable to you, also accessible at the bottom of this page.