2022 Universal Registration Document

R i sk and r i sk management

Risk factors

5 - B: RISKS RELATED TO DATA MANAGEMENT Legislative and regulatory changes may affect the management of Groupe ADP’s data. Criticality + Detailed description of the risk factor The legislative and regulatory changes that Groupe ADP is facing may undermine the protection of its sensitive information, in a context of strong regulatory requirements in terms of data protection and the existence of extraterritorial laws. Indeed, European regulation 2016/679 on the protection of personal data (known as the “GDPR”) which came into force on 25 May 2018 requires transparency, integrity and confidentiality of the processing carried out by Groupe ADP, as well as the possibility for data subjects (customers, employees, retailers, etc.) to exercise their rights over their personal data. In addition to this regulation, international legislation relating to the protection of personal data is regularly strengthened. In the exercise of its activities, each Groupe ADP entity is required to process various personal data of any type of person having interactions with it (employees, customers, passengers, partners, suppliers, etc.). Each entity subject to the GDPR is therefore required to apply the framework imposed by the regulations to its sector of activity and to the processing of personal data specific to it. Entities for which the GDPR is not applicable but which are subject to national regulations on the protection of personal data can, nevertheless, draw inspiration from this process in order to pursue the objectives of the Data Protection key controls in their internal practice. Although the Group is continually developing its data security system based on best market practices, situations of loss or theft of personal or confidential data are increasingly frequent and publicised, particularly in France.

Change in 2022 New

Potential effects for the Group — Fines, regulatory non compliance, formal notice to stop processing (GDPR) — Dissemination of sensitive information — Impairment of intangible assets — Loss of information assets — Image damage

2

Interconnected risks — Cybersecurity risks — Risks of corruption and business integrity — Aviation safety risks

MAIN RISK MANAGEMENT SYSTEMS Groupe ADP is fully committed to the protection of personal data and sensitive information and has implemented Group-wide information protection policies. A set of measures are deployed to ensure compliance with applicable regulations, such as: ◆ a specific organisation and governance, managed by the Data Protection Officer (DPO), in coordination with the Ethics and Compliance and Information Systems Security teams;

◆ a structured approach involving a network of Group contributors; ◆ policies and a best practices charter accessible to all employees, awareness-raising on data protection, data confidentiality and the systems implemented in the Company

155

AÉROPORTS DE PAR I S / UN I VERSAL REG I STRAT I ON DOCUMENT 2022