Universal Registration Document 2024

SUSTAINABILITY REPORT 4 GOVERNANCE MATTERS

Risks in terms of Human Rights, Health and Safety

identified by the network of correspondents in the departments is entered in the register enabling GDPR compliance to be controlled from the project design stage (privacy by design). Action plans are formalised and monitored by the Data Protection Officer team. The processing and storage of personal data requires action to prevent possible breaches of security resulting in the accidental or unlawful destruction, loss, alteration, disclosure or unauthorised access of personal data. Duty of vigilance concerning the protection of personal data is heightened in view of the worldwide increase in cyber attacks, as Groupe ADP may be exposed to malicious acts on its information systems. Despite the increase in cyber-attacks worldwide, Groupe ADP has not experienced any data breaches linked to this phenomenon. All ethics and compliance risks are included in the Group's risk map. u training/awareness-raising for all employees as well as specific modules for exposed populations; u a network of 26 Ethics and Compliance officers, including one for each TAV Airports subsidiary in addition to the holding company team, and 20 in the parent company's support departments; u a process for assessing third parties and a methodology developed for pre-acquisition audits on compliance issues; u a whistleblowing system accessible on the intranet and website; u an internal control system for the anti-corruption programme and the management of personal data. GROUPE ADP ETHICS AND COMPLIANCE POLICIES Ethics and Compliance Code of Conduct Since 2019, Groupe ADP has had an Ethics and Compliance Code of Conduct which covers all related issues, including the 10 principles of the United Nations Global Compact, and is applicable to all controlled entities and entities subject to anti-corruption laws, including the Sapin II law. The Ethics and Compliance principles set out in this Code are intended to help all Group employees in their day-to-day business practices. These rules are based on three principles that guide professional behaviour: responsibility, integrity and respect for others. The Code sets out rules and best practices on various issues such as the fight against breaches of professional ethics, the prevention of corruption and influence peddling, conflicts of interest, data protection, including personal data, respect for the Group's employees and partners, the Group's whistleblowing system and the protection of whistleblowers. The best practices and illustrations for each of the issues are based on risk mapping scenarios or cases dealt with through the whistleblowing system.

(See section 4.3.b. on the Group's general approach to Human Rights duty of vigilance). An initial specific mapping exercise was completed in early 2023 as part of the Group's duty of vigilance (Potier law). It has made it possible to target the main risks of negative impact of the Group's activities and its value chain on its stakeholders: employees, suppliers and subcontractors (and their employees), local communities/residents and customers. The map is due to be updated in 2025. Risks in terms of Personal Data Protection The risks are included in the scope of the Human Rights, Health and Safety risk mapping and, more broadly, in the Group risk mapping. As part of its activities, Groupe ADP processes personal data relating to employees, existing/ prospective customers, passengers, partners, service providers, etc. Each new project involving personal data

4.4.2.3. Commitments and deployment of the Group's ethics culture [G1-1] – Corporate culture and business conduct policies

[G1-1-7] → Policies relating to business conduct matters and how the company fosters its corporate culture

For Groupe ADP, ethics and compliance mean operating in accordance with the law and regulations 1 , and the Group's “Responsibility and Hospitality” values. Groupe ADP believes that there can be no compromise when it comes to ethics and compliance. This conviction is reflected in the Group's approach to continuous improvement in the exercise of its duty of vigilance. Groupe ADP's Ethics and Compliance programme, which is driven by the mapping process, relies in particular on: u a code of conduct, available in nine languages on the intranet and website, addresses the various risks associated with ethical behaviour. It is supplemented by various procedures: gifts and invitations, conflicts of interest, sponsorship, third-party assessment, international sanctions/embargos, ethics in the HR process, etc.; u a personal data protection policy with application charter has been put in place in compliance with the General Data Protection Regulation (GDPR) of 27 April 2016 and law no. 78-17 on IT, data files and data protection and civil liberties, known as " Informatique et Libertés " of 6 January 1978; u a Vigilance Plan meeting the requirements of law No. 2017-399 of 27 March 2017 on the duty of vigilance of parent companies and ordering companies (see introduction to section 4: Vigilance Plan – Framework and key points; u the risk maps detailed in the previous paragraph;

1

Notably: u General Data Protection Regulation (GDPR) of 27 April 2016 and Law no. 78 – 17 on IT, data files and data protection and civil liberties, known as "Informatique et Libertés" of 6 January 1978; u law 2016-1691 of 9 December 2016 (Sapin II), on transparency, the fight against corruption and the modernisation of economic life; u law no. 2017-399 of 27 March 2017 (Potier law) on the Duty of Vigilance of parent companies and ordering companies. u law no. 2022-401 of 21 March 2022 (Waserman Law), aimed at improving the protection of whistleblowers.

497

UNIVERSAL REGISTRATION DOCUMENT 2024 w AÉROPORTS DE PARIS