Euronext - 2019 Universal Registration Document

Euronext, a sustainable exchange

Euronext’s Five ESG Impact Areas and the Sustainable Development Goals

Whistleblowing Program The Company, via its Whistleblowing Policy, allows Employees and third parties to report in confidence alleged breaches of the laws or Company policies, and protects anyone who reports in good faith, ensuring that they shall in no way be put at a disadvantage by the Company as a result of the report. The policy provides internal and external mechanisms to report unlawful and unethical behaviors. External mechanism is managed per internet by a specialized provider and allows employees anonymous reports. The Company is committed to protect reporting employees against retaliation. The Whistleblowing Policy and Procedure also describe how the reports are treated, how investigations are carried out including confidentiality aspects as sets for in the laws and contains the rights and obligations of Employees when they want to report an alleged breach. The Company has also upgraded its Policy and Procedure to ensure full compliance with laws of the jurisdictions where it operates. The whistleblowing policy is available on Euronext Website (1) and on Euronext Intranet in the main languages used in the Company. Employees participate mandatory trainings mostly through e-learning platform and are informed on the mechanisms to report unlawful and unethical acts and behaviors. Additionally, the Company is committed to providing all employees and others who are on Company property with a safe and healthy work environment. Accordingly, all employees will comply with all health and safety laws and regulations as well as Company policies governing health and safety. All employees are responsible for immediately reporting accidents, injuries and unsafe equipment, practices or conditions to a manager or other designated person. For more information on the Code of Business Conduct and Ethics see section 2.1.1.3 “Corporate Compliance – Code of Business Conduct and Ethics”. Data Protection Euronext is strongly committed to protect the personal data and uphold the right to privacy as provided by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR”) and any national implementing laws and regulations of the GDPR. Euronext has adopted a set of internal policies/procedures and

n data Subjects Information Consent and Rights Policy and procedure, n privacy by Design and data protection impact assessment procedure; n internal/public notices/statements: n privacy notice to staff, n privacy notice to Board Members, n privacy Statement, n data subjects’ Rights Request Information procedure, n privacy notice to applicants. These new processes have been circulated to employees through a global training specifically designed by and for Euronext and in- depth training for specific functions more exposed to certain risks. Staff training and awareness sessions are conducted regularly in all Company locations to promote GDPR compliance. Each new employee is trained shortly after joining. All new acquisitions made by Euronext are integrated in these processes as well after harmonization where applicable. Euronext has implemented several organizational and technical measures to ensure the protection of privacy. Among all these organizational measures, we can underline: n the use of a data privacy management tool for the record of processing; n the use of a tool for personal data breaches and data protection impact assessment (realized for all new project or vendor); n the designation of Business Data Owners within each business unit and support function whose role is to ensure the link between the business unit and support function concerned and the Data Protection Officer in one hand and InfoSec and Data Management Office on the other hand; n the implementation of several tools by InfoSec department to classify or frame accesses. A strong governance around data as a whole and personal data particularly exists and is part of the global organization with a monthly reporting of the DPO to the Data Governance Steerco chaired by the Chief Data Officer.

3

GDPR TRAINING EMPLOYEES

internal/public notices/statements: n internal policies and procedures:

2019

n data privacy policy, n data retention policy, n personal data classification policy, n personal data breach policy and procedure,

Percentage of total employees

Number

Staff assigned to the training

965

76.2%

Staff completing the training

697

72.2%

(1) https://www.euronext.com/fr/node/721

91

2019 UNIVERSAL REGISTRATION DOCUMENT