Universal Registration Document 2024

4 SUSTAINABILITY REPORT GOVERNANCE MATTERS

It is appended to ADP SA's internal regulations and, in accordance with local laws, is enforceable against employees of other Group entities. It was last updated in July 2023, and is regularly reviewed to incorporate lessons learned from risk mapping exercises. Corruption Groupe ADP has rolled out an Ethics and Compliance Programme with anti-corruption at its core, based on a code of conduct and procedures, a network to spread the culture and a training and communication plan to empower employees. See G1-3 and G1-4. Human Rights The Ethics and Personal Data Department also coordinates the Vigilance Plan and the structuring of its overall Human Rights approach (see section 4.3 b) as part of the governance dedicated to the Group's duty of vigilance (“ Loi Potier ”). In 2024, the basis of Groupe ADP's Human Rights policy was formalised and validated by the subsidiaries and controlled companies. Personal data protection Although data protection did not emerge from the double materiality assessment as a material matter, this issue is an integral part of the ethics and compliance culture and has been identified as one of the risks on the Human Rights risk mapping, as well as on the Group risk map. Both Turkey and Jordan have laws similar to the General Data Protection Regulation (GDPR). While compliance is country-specific, Groupe ADP shares all tools with its subsidiaries to help them achieve compliance. Aéroports de Paris SA has appointed a Data Protection Officer (DPO) with a dedicated address for requests to exercise rights (informatique.libertes@adp.fr). A specific Data Protection Correspondent (DPC) has been appointed in each department to provide support and advice, as well as upstream detection (privacy by design) and to guarantee project compliance. Each Group subsidiary subject to the GDPR also appoints a Data Protection Officer. Group data protection committees meet twice a year to ensure coordination between entities. Defined since 2019, the Group Data Protection Policy (GDPP) is based on the Information Systems Security Policy and the General Data Protection Policy. It covers the following objectives: u defining Groupe ADP's commitments to protect the personal data of its stakeholders and ensure compliance with the relevant regulations; u establishing the dedicated organisation for this purpose; u setting out the principles and rules for ensuring adequate protection of personal data collected as part of the Group's activities.

Available to all employees, the data protection policy application charter has supplemented this policy since 2021. Group principles relating to the protection of personal data were formalised in the Ethics and Compliance Code of Conduct in 2023. [G1-1-9] → Description of how the company establishes, develops, promotes and evaluates its corporate culture Ethics and Compliance is a question of changing culture more than changing procedures. Since 2018, Groupe ADP has been working to develop the ethics and compliance culture at all levels in the company by relying on the key points of the programme, the dissemination of policies and any other actions to adapt all of our stakeholders to this culture. This is why the Ethics and Compliance programme devotes a great deal of attention to communication, awareness-raising, training and the “speak up culture” 1 . It also pays particular attention to the understanding and perception of employees, u Cercle Éthique des Affaires (Business Ethics Circle) since 2019 (the Group's Director of Ethics and Personal Data has chaired this organisation since June 2023); u Business for Human Rights since 2021; u Ressources Humaines Sans Frontières since 2023. Engagement of governance Commitment letters are signed by the members of the Executive Committee, the ethics advisers in the subsidiaries (countersigned by the CEOs of the subsidiaries to ensure their autonomy), entity management, subsidiary directors and the Internal Control network (CARE). In addition, Executive Committee members submit a declaration of interests. In 2024, the Chairman and Chief Executive Officer renewed his own commitment in a letter defining the roles and responsibilities of the Ethics and Personal Data Department and the Legal and Insurance Department. A number of delegations of authority to members of the Executive Committee have also been renewed, with a specific clause covering ethics and compliance. Ethics Committee The Ethics Committee is a forum for collective reflection and work on practices within the company. It defines, disseminates and reinforces the Group's ethics culture. It informs decision-making by highlighting any questions or ethical issues. and to the exemplary nature of management. Regularly reviewed and revised practices In order to observe best practices and enrich its thinking, Aéroports de Paris SA participates in various initiatives to share best practices for the benefit of the entire Group: u Global Compact France since 2003; u Transparency International since 2008;

1 “A "Speak up culture" is a work environment where employees feel comfortable speaking their minds, sharing their ideas and expressing their concerns without fear of negative consequences. In other words, it is a place where all employees feel safe to express themselves when they have something to say; no matter what it is.” (Definition by Hannah West, Speak Up culture – what is it and why is it important?) (goodcourse.co).

498

AÉROPORTS DE PARIS w UNIVERSAL REGISTRATION DOCUMENT 2024