Universal Registration Document 2024

4 SUSTAINABILITY REPORT GOVERNANCE MATTERS

Lastly, third-party assessments may lead to the project being abandoned and the business relationship not being entered into when the risks are considered too great and cannot be remediated. To date, the Group has not had to terminate an established business relationship for ethics or compliance reasons. Depending on the type of relationship, the nature of the project and the country of operation, the assessment of third-party risks includes gradual steps that may go as far as triggering: u an on-site survey; u a pre-acquisition audit in the scope of a merger and acquisition project. The pre-acquisition audits initiated by the Group in 2024 may, depending on the target, cover ethics and compliance, ESG (Environmental, Social and Governance) matters, cybersecurity, Human Rights and/or personal data protection. They round out the due diligence carried out on the usual legal and financial aspects of this type of transaction; u an action plan implemented before signing and post acquisition, where appropriate, which may include a post acquisition audit if necessary. The department responsible for these tasks within the Ethics and Personal Data Protection Department also takes account of the sensitive nature of data, which may be strategic and confidential. Risk management and internal control The risk mapping, control and internal audit systems form a comprehensive approach to controlling the Group's activities. The control system is based on three levels: self-assessments or assessments by the business line, field controls and audits. Key data protection controls have been in place since 2021. The GDPR compliance management platform and documentation make it possible to monitor action plans by processing method or by department. Each new project involving personal data identified by the data protection network is registered on the GDPR compliance management platform (ARIEL). This principle makes it possible to detect risks at the project design stage (privacy by design). Only the necessary data are collected, processed and stored securely (privacy by default). The GDPR compliance management platform (ARIEL) includes the registers for: u processing; u data breaches; u requests to exercise rights on data. Following a group Data Protection Impact Assessment, an action plan (definition of clauses, agreements, supervision of any transfers outside the EU, training, etc.) is drawn up and validated by the data controller, who, by signing, undertakes to monitor its implementation. Aéroports de Paris is aware of the stakes involved and subjects any service provider accessing sensitive information to strict confidentiality through contractual clauses, non disclosure agreements and the internal regulations if applicable, etc.

Aéroports de Paris SA implements a centralised procedure to respond to requests to exercise rights and to manage data breaches, and documents them in the compliance management platform. An on-call and crisis management system is in place to deal with requests as quickly as possible. A dedicated e-mail address is accessible by the entire DPD team for this purpose (informatique.libertes@adp.fr).

Stakeholders are informed of the processing of their data at the point where the data are collected: notifications on contact forms, web pages and IT tools, etc. An information policy on the processing of personal data by Aéroports de Paris and the procedure for requesting the exercise of rights are communicated to the public on Groupe ADP's website: Protection of your personal data – Paris Aéroport. This was updated in 2024 as part of a continuous improvement initiative to inform people of their rights. The personal data protection teams at ADP SA, Hub One, Extime Duty Free Paris and Hologarde carry out self assessments as part of the internal control process, which are then supplemented by field tests carried out by the centralised internal control team. Aéroports de Paris SA monitors the compliance of Group entities through a Group Committee (meeting two to three times a year). With regard to the anti-corruption programme, controls have been carried out since 2023 on the basis of a Group key controls manual. These controls, effective for each pillar of the Sapin II law, make it possible to assess the system's compliance and implement the necessary action plans. The Ethics and Personal Data Department, supported by the 26 Ethics and Compliance Officers of the controlled entities, carries out self-assessments followed by field tests conducted by the central internal control team (except for TAV Group subsidiaries, for which the TAV Holding internal control team carries out the field tests). In 2024, the key anti-corruption and data protection control manuals were reviewed in advance of a new self-assessment campaign in 2025. In addition, the coordination of the three levels of control (self-assessment, on-site controls and audits) has been strengthened for ethics and compliance in order to guarantee full coverage of the controlled scope. The Director of Audit shares the audit plan with the Ethics and Personal Data Department to ensure that ethical issues are properly taken into account.

502

AÉROPORTS DE PARIS w UNIVERSAL REGISTRATION DOCUMENT 2024