GROUPAMA / 2018 Registration document

4 CORPORATE SOCIAL RESPONSIBILITY (CSR) GROUPAMA’S 2018 EXTRA-FINANCIAL PERFORMANCE REVIEW respect for ethics and professional conduct, particularly the ❯ managementof conflicts of interest, the fight against corruption and influence peddling, and the duty of care of parent companies; the protectionof personaldata and in particularmedical data. ❯ In 2017, the Group’s compliance policy was reinforced to incorporate the measures required by the Sapin 2 law (prevention/detection of bribery and influence peddling) and the law on the Duty of Care of parent companies and ordering companies (prevention of violations of human rights, fundamental freedoms, health and safety of people, and the environment, especiallyfor subcontractingand suppliers).At the Group level, the overall implementationof anti-corruptionmeasures is managed by the Group Compliance Department, with the assistance of the Group Legal Department and the Group Human Resources Department. Personal data protection 4.2.3.5 The Group’s code of conduct specifies that the Group’s companies must ensure that any collected and processed personal information does not infringe privacy or individual freedoms. The companies are also committed to respecting the rights of the individuals concerned and taking all necessary measures toprotect confidentiality. In 2007, Groupama decided to designate a CIL for the Group whose duties are defined by law, consisting particularly of establishing and maintaining the list of data processing in force within the Group’s companies, advising, training, ensuring compliance with the relevant regulations ( a priori , a posteriori ), whistleblowing, and managing the rights of individuals. This function maintains relations with the CNIL. Since the GDPR came into force on 25 May 2018, the Group CIL has given way to the France DPO (Data Privacy Officer), who also takes over the duties of the Group CPO. In anticipationof the entry into force of the General Data Protection Regulation in 2018, the Group appointed a Group Corporate Privacy Officer (CPO) in 2016. The interest in this designation lies mainly in the introduction of management and coordination of “Personal Data” governance at the Group level, by capitalisingon the frameworkfor governance of personal data implemented in France by the CIL (DPO France), thus reducing the risks. Each international subsidiary has also designateda DPO with its nationalsupervisoryauthority. The France DPO (& Group CPO), assisted by his/her team, fulfils this role and performs these duties for all companiesof the Group. The function of Pooled France DPO is independent by law and reports to the General Secretary, a member of the Steering Committee. It meets the legal and regulatory requirements governing the conditions for designation of a DPO and has been designated with the CNIL. This function is subject to a whistleblowingduty and must report on activities by preparing an “annual activity review” presented to the data controller and held available forthe CNIL. With regard to personal data, compliance control is one of the duties carried out by the France DPO & Group CPO and his/her teams. The compliance of personal data processing covers not only the above topics pertaining to the Group’s core business (non-life insurance, life insurance, asset management, real estate,

etc.) but also all other topics as long as personal data are concerned ( e.g. , human resources, video surveillance devices, service activities, etc.). On 24 May 2018, the CNIL issued 28 “Personal Data Governance” labels to the Group’s French companies having shown that they were prepared for the implementationof the GDPR. It is a mark of strong trust for our members, customers, employees, and partners. Fight against money laundering 4.2.3.6 and terrorist financing The fight against money laundering and terrorist financing (AML/CFT) is an important issue for the Group’s companies subject to suchregulations. In this context, coordination at group level and a network of AML/CFT Managers in the insurance subsidiaries (in France and internationally)and the Financial Division, as well as in the regional mutuals, has been established. This is managed by the Group Legal Department and involves regulatory compliance, regular meetings and newsletters, quarterly reporting and semi-annual updates for the Group’s Executive Management, and an annual report to the Board of Directors of Groupama Assurances Mutuelles onactions taken within the Group. This structure also includes a central committee for guidance and monitoring of the fight against money laundering and terrorist financing (AML/CFT) within the Group. This committee is responsiblefor monitoringand coordinatingthe actions carried out by the various functions andentities involved in this area. An AML/CFT organisational chart defines the roles and responsibilitiesof the various participants and stakeholders at the level of the Group and each operational entity concerned, describes the mechanism in place with respect to informing and training employees, determines the methods and conditions for exchangesof informationrequired for the exercise of vigilance,and specifiesthe system tobe applied forAML/CFTrisk management. In particular, 2018 was devoted to reinforcing the system and making upgrades as part of the transposition of the “Fourth Anti-MoneyLaunderingDirective”into Frenchlaw. CSR risks – Identifying risks 4.2.4.1 to better control them As mentioned in section 4.2.2.3., work on the mapping and assessment of the Group’s CSR risks started in 2018 and will continue in 2019. The 2019 CSR report or DPEF will build on this work. In the meantime, below we have provided a table of correspondencewith the list of CSR risks identified in the CSR Reporting Guide for the insurance sector published in 2018 and produced by the FFA (Sustainable Development Committee). The 2018editionof the guidedoes not proposeindicatorsat this stage. TABLE OF CONCORDANCE AND METHODOLOGICAL NOTE 4.2.4

110

REGISTRATION DOCUMENT 2018 - GROUPAMA ASSURANCES MUTUELLES