BPCE - 2020 Universal Registration Document

NON-FINANCIAL PERFORMANCE STATEMENT

BEING A RESPONSIBLE GROUP IN ITS INTERNAL AND EXTERNAL PRACTICES

PERSONAL DATA PROTECTION The GDPR Project continued to disseminate the Personal Data Protection culture within BPCE, networks and subsidiaries. The monitoring of this compliance with the General Data Protection Regulation (GDPR) continues to benefit from a high level of sponsorship, with the presence of three members of BPCE’s CDG (General Management Committee) on the quarterly Executive Steering Committee. A Group data protection policy has been put in place, setting out the standard organization, the roles of the various stakeholders, and the application of the main lines of the GDPR within the Group. Adoption of the tool DRIVE/ARCHER, also common to the security of information systems, the fight against cybercrime and business continuity, will make it possible to optimize the synergies between these different activities. From the first quarter of 2021, this tool will host the registers of each of the Group’s entities, and will enable the formalization of GDPR permanent controls and the monitoring of the associated action plans. The Group has also begun to comply with the new regulation on cookies, and the implementation of a consent for tracers justifying it. The exercise of rights remains at a reasonable level with 625 requests across the entire scope excluding Natixis and its subsidiaries, including 200 requests for access rights and 227 rights of opposition in 2020. Portability rights are virtually non-existent. At the same time, 24 incidents requiring notification of personal data breaches to the French Data Protection Authority (CNIL) were identified, and only one case was the subject of a CNIL response. The organization and missions of the Security department are detailed in the section – Non-compliance risk and security in Chapter 6 – Risk Management. Groupe BPCE conducts most of its activities in France, under a regional cooperative business model. Through its subsidiary Natixis, the Group serves multinational enterprises and has thus established commercial operations all around the world. Its presence in different jurisdictions is justified for such business reasons and not for the purpose of enjoying any specific tax advantages. FISCAL PARTNERSHIP WITH THE FRENCH MINISTRY OF ACTION AND PUBLIC ACCOUNTS SINCE 2019 BPCE SA, acting on behalf of itself and its wholly-owned subsidiaries, signed the Tax Partnership with the Minister of Public Action and Accounts at its official launch on March 14, 2019. https://www.economie.gouv.fr/files/files/PDF/ 2019/Guide_ProtocolesQRV6.pdf The “Tax Partnership” involves regular, transparent dialog with the tax authorities on a voluntary basis and is aimed at large corporations and intermediate sized enterprises, which are subject to frequent tax audits. It allows the companies concerned to obtain a clear response from the authorities on complex tax matters that can cause financial or legal risk, in exchange for more transparency. POLICY ON COMBATING TAX EVASION AND GROUP TAX POLICY

Groupe BPCE was the first bank to be admitted to this new system. To date, nearly 200 Group entities have joined the fiscal partnership, in particular all of the Banques Populaires and Caisses d’Epargne. As a reminder, BPCE was a pioneer in this area in 2013 when it joined the experimental ‘trusted relationship’ scheme set up by the tax authority. CREATION OF A TAX LIABILITY MAP WITHIN THE GROUP France has stepped up the prosecution of tax fraud offenses by the law of October 23, 2018. The tax authorities now have the obligation to transmit tax fraud cases to the criminal justice system (when the amount of the increased duties is greater than €100,000 and applies the highest penalties). The criminal justice system can then prosecutewithout the agreement of the tax authorities and will be free to determine which persons are prosecuted (e.g. subsidiary, parent company, executives). As part of the managementof these risks, the Group has carried out tax liability mapping based on three actions: the development of a “fiscal responsibility” charter within the • Group’s various entities that would be signed by each person responsible for the tax position of the Group entity (CFO, Accounting Director, Tax Director, etc.); each entity would be responsible for its tax obligations and • would undertake to put in place processes to control and validate tax treatments in order to avoid any risk of taxfraud; the implementation of delegations of authority or delegations • of signature. ESTABLISHMENT OF A FISCAL CODE OF CONDUCT Groupe BPCE has drafted a fiscal code of conduct setting out the principles and general framework to be used as a guide to the Group’s own taxation and the taxation applicable to its customers within their relations with the Group, as well as with the tax authorities. This Code will be issued to all members of staff and will be applicable to all. This fiscal code of conduct will be available on the groupebpce.com website from the end of April 2021. GROUPE BPCE TRANSFER PRICING POLICY Groupe BPCE’s transfer pricing policy observes OECD recommendations and does not give rise to indirect profit shifting. The general underlying goal is for profits to be taxed wherever value is created, in line with OECD transfer pricing guidelines and with local tax rules. Groupe BPCE applies the “arm’s length principle” to ensure that the parties to intragroup transactions are paid the amount they would normally receive on the open market, that transfer pricing methods are applied consistently, and that transactions are performed responsibly and transparently. Groupe BPCE prepares transfer pricing documentation for its intragroup transactions to comply with local transfer pricing documentation requirements in the countries where its entities are located.

2

105

UNIVERSAL REGISTRATION DOCUMENT 2020 | GROUPE BPCE