2022 Universal Registration Document

Soc i al , env i ronmental and soc i etal respons i b i l i ty i nformat i on 4 Develop a culture of responsibility and ethics for the benefit of all our stakeholders

4.6.3 ACTING ETHICALLY AND RESPONSIBLY

4.6.3.1 The Ethics and Compliance program Policy and objectives

Personal data processing complies with regulations (the General Data Protection Regulation or GDPR and the Data Protection Act). Regulatory requirements are taken into account from the design stage of projects (Privacy by Design) and by default throughout the life of the processing (Privacy by Default). ADP – SA has appointed a Data Protection Officer (DPO) and correspondents (PDC) in each department who are the DPO’s real intermediaries. A Group data protection policy has been defined, implemented and monitored. It is based on the Group Information Systems Security Policy and the general data protection policy. In 2021, a charter governing the application of the data protection policy was created and provided to all employees. A GDPR compliance management platform has been deployed. It includes the processing register. Group methods have been put in place ( e.g. impact analysis method) and indicators are shared by the various entities. The methodology for conducting IS projects takes into account the protection of personal data. Stakeholders are informed how their data is processed. A centralised ADP SA procedure has been implemented to handle requests to exercise rights. A data violation management procedure has been implemented. A penalty and crisis management system is in place to deal with data violation cases. MANAGEMENT SETTING AN EXAMPLE As ethics and compliance firstly require a change in culture rather than a change in procedures, the Ethics and Compliance program attaches considerable importance to management setting an example, awareness-raising and training, as well as understanding employees’ perceptions. The ethics climate barometer measures the spread of this ethics and compliance culture. Groupe ADP held a second ethics day dedicated to the prevention of corruption on 15 December 2022, which resulted in the broadcasting of videos by executives in order to recall the challenges. This day was also an opportunity to offer employees of the Paris platforms, with a broadcast via Teams for employees abroad, a conference on two major issues: ◆ the “speak up” culture to develop a climate of trust in order to report ethics and compliance shortcomings and malfunctions; ◆ consideration of ethics in business relationships. DETECT CORRUPTION RISKS In addition to the ethics and compliance risks included in the Group’s mapping, a corruption risk mapping is carried out every two years to identify potential scenarios and define preventive actions. In 2022, a new exercise was launched. The action plans will be formalized in conjunction with the internal control and audit teams. A review of the audit plan is carried out each year to include the issues detected in the risk mapping or via the alerts processed.

For Groupe ADP, ethics and compliance mean operating in accordance with the law and regulations, and the Group’s values. An Ethics and Compliance program has been deployed on the basis of seven pillars to fight corruption. In addition, a personal data protection policy has been put in place in compliance with the General Data Protection Regulation (GDPR) of 27 April 2016 and French Data Protection Act No. 78 17 of 6 January 1978. DEDICATED GOVERNANCE The Ethics Department was created in 2018 and in 2021, it expanded its scope to include the protection of personal data. Its Director reports to the Chairman and CEO, thus guaranteeing the Division’s independence in processing alerts. The Ethics and Personal Data Department defines and co-manages the Ethics, Compliance and Personal Data action plan with the Legal and Insurance Department. To implement the plan in the Group’s subsidiaries, these departments rely on the Ethics & Compliance officers of TAV Airports, AIG and Hub One. To ensure the proximity of the approach, 25 officers, i.e. one for every 1,000 employees or so, promote the ethics and compliance culture and monitor the implementation of the standards with the teams concerned. TAV Airports has one contact per subsidiary. In addition to these contacts, 20 intermediaries are appointed within the support departments at the level of the parent company to promote the various ethics and compliance practices and thus prevent the related risks. This network also contributes to the implementation of best practices covering aspects such as the reporting of gifts and invitations and conflicts of interest every year. The program is monitored in the Group’s different bodies: Executive Committee, Social and Economic Committee, Board of Directors (and its Audit and Risk Committee and, for cultural topics, the ESG Committee). The Ethics and Compliance action plan is validated every year by the Executive Committee, the Board of Directors and its Audit and Risk Committee. At the same time, the ESG Committee of the Board reviews actions relating to the dissemination of the ethics and compliance culture within the Group based on the results of the ethics climate barometer. Risks related to ethics and compliance are described in the Risk Management chapter. They are co-managed by the Ethics Division and Personal Data Department and the Legal and Insurance Division. Aéroports de Paris is also a member of Transparency International and the Cercle Éthique des Affaires , which helps it look at best practices and feed into discussions on ethics and compliance within the Group.

294

AÉROPORTS DE PAR I S / UN I VERSAL REG I STRAT I ON DOCUMENT 2022