Universal Registration Document 2024

RISK FACTORS AND INTERNAL CONTROL 2 RISK FACTORS

5 – C: RISKS RELATED TO DATA MANAGEMENT Processing of the protection of personal data that Groupe ADP carries out in the course of its activities that does not comply with regulations could incur risks, particularly financial and reputational risks Criticality + Change in 2024 è Detailed description of the risk factor

Potential effects for the Group u Fines, regulatory non compliance, formal notice to stop processing (GDPR) u Dissemination of sensitive information u Impairment of intangible assets u Loss of information assets u Image damage Interconnected risks u Cybersecurity risks u Risks of corruption and business integrity u Risks related to aviation safety

European Regulation 2016/679 on personal data protection (known as the "GDPR"), which came into force on 25 May 2018, imposes rules on the transparency of personal data processing, respect for the integrity and confidentiality of personal data, and the possibility for people involved in data processing (customers, employees, service providers' staff, passengers, etc.) to exercise certain rights (access, rectification, erasure, portability, etc.). At an international level, there are regulations equivalent to the GDPR and there is a tendency towards strengthening them. In the course of its activities, each Groupe ADP entity processes personal data (belonging to employees, customers, passengers, partners, suppliers, etc.) and is therefore required to comply with the applicable personal data protection regulations. Foreign entities must also pursue the objectives of the Data Protection key controls in their internal practices. Groupe ADP updates its data security system on an ongoing basis, drawing on best market practices. This action is essential as breaches of personal or confidential data privacy are becoming increasingly frequent and are receiving media coverage, particularly in France. The speed at which artificial intelligence (AI) is developing means that a new compliance system needs to be put in place within the Company (governance, processes, resources, etc.). The use of technologies based on artificial intelligence is leading to an increase in the volume of data managed by the Company. This includes the sharing of certain data, particularly in the case of sensitive data, which drives the need to control these technologies and related risks.

MAIN RISK MANAGEMENT SYSTEMS Groupe ADP is fully committed to the protection of personal data and sensitive information and has implemented information protection policies. A set of measures are deployed to ensure compliance with applicable regulations, such as: u a specific organisation and governance, managed by the Data Protection Officer (DPO), in coordination with the Ethics and Compliance and IT Systems Security teams; u a structured approach involving a network of contributors for the Group's French entities; u policies and a best practice charter accessible to all Paris Aéroport employees;

u awareness-raising initiatives on data protection, data confidentiality and the systems implemented in the Company; u setting up regulatory registers to monitor the processing of personal data, requests to exercise rights, data breaches and the related action plans; u an internal control system specific to the GDPR. A cross-cutting Task Force working across the Group’s various departments to address the new challenges raised by artificial intelligence.

121

UNIVERSAL REGISTRATION DOCUMENT 2024 w AÉROPORTS DE PARIS