UNIVERSAL REGISTRATION DOCUMENT 2023

7 FINANCIAL STATEMENTS Combined financial statements and notes

5.2.2 APPLICATION OF INSURANCE LAW AND REGULATIONS GOVERNING THE INSURANCE BUSINESS, DISTRIBUTION OF PRODUCTS AND SERVICES, AND COMMUNICATION The Group Legal Department, under the supervision of the General Secretariat of Groupama Assurances Mutuelles, particularly on behalf of the business divisions of Groupama Assurances Mutuelles and insurance organisations (French insurance subsidiaries as well as the regional mutuals), is responsible for: monitoring and analysis of legislation and case law and other standards (FFA (French Insurance Federation) professional standards, ACPR (French Prudential Supervisory and Resolution Authority) recommendations, opinions issued by the French government’s “defender of rights” and the CCLRF (Banque de France’s advisory committee on financial legislation and regulation)) having an impact on the insurance business (marketing, consumer protection, communication, advertising, the development, subscription, execution, and termination of insurance products, etc.); ❯ necessary anticipation and support to implement new regulations for insurance; ❯ information (notes, circulars, working groups, dissemination of a quarterly legal newsletter on customer protection); ❯ ratification of new insurance contracts developed by the Business Departments and other Group insurance subsidiaries, well as changes made to existing contracts; ❯ development and approval of distribution, management delegation, and partnership agreements in connection with insurance, banking and other services; ❯ secure and monitor the legal risks of the Group’s activities and its services and products offered (design, enrolment, management) and assist operations staff in the legal and fiscal investigation and securing of (i) their offerings of insurance and other services, including the insurance, banking, and service offerings of their partners, (ii) the distribution and marketing of their offering, and (iii) communication; ❯ secure and control the legal risks relating to the Group’s contractual commitments (excluding insurance), relations with its service providers and partners, and outsourcing in particular; ❯ secure and control the legal risks relating to intellectual property rights (portfolio of trademarks, designs/models, copyrights, and image rights); ❯ manage the Group’s compliance and secure the Group’s data protection processes, projects, and businesses, as the Data Protection Department is attached to the Group’s Legal Department; ❯ ensure the legal securing of governance (mandates, delegations of authority, and decision ‑ making and examination processes), the monitoring of the Group’s entities, and the review of regulatory reports; ❯ secure and optimise, from a legal perspective, partnership and alliance operations, restructuring operations, acquisitions, affiliations, financing, investments, and asset management; ❯ control and manage the legal risks relating to litigation and pre ‑ litigation cases (service providers, third parties, etc.) and our businesses, especially insurance (customer complaints, distribution networks, partners, etc.). ❯ Closer look at two specific compliance mechanisms under the Legal Department’s responsibility

5.2.3 GROUP DATA PROTECTION SYSTEM Regarding the application of the provisions of the French data protection law and the General Data Protection Regulation (GDPR), the compliance system relies on the Data Protection Officer (DPO) of the Group’s French entities declared to the French national data protection commission (“CNIL”) and on the network of internal data relay protection officers (DRPO): one officer per entity and 19 for Groupama Assurances Mutuelles in areas implementing processing operations. Each international subsidiary in the European Union has also designated a DPO with its national supervisory authority. All of these players are coordinated by the France DPO, who serves as CPO (Corporate Privacy Officer) within the Group. This network changes based on the Group’s organisational modifications. Closer look at mechanisms under the responsibility of Compliance Specific mechanisms have been set up to meet special requirements: building and running of training and awareness ‑ raising sessions on the regulations applicable to the insurance business, intended for a variety of audiences (distribution networks, Managers, etc.). ❯ to prevent insider dealing, the internal bylaws governing the Groupama Assurances Mutuelles Board of Directors contain a detailed reiteration of the statutory and regulatory provisions on the various restrictions on persons privy to privileged information about listed companies and financial instruments traded on regulated markets. Groupama Assurances Mutuelles staff in charge of investing in financial instruments traded on regulated markets and those working in mergers ‑ acquisitions sign a non ‑ disclosure agreement reiterating these same statutory and regulatory provisions. Groupama Assurances Mutuelles staff required to work on strategic transactions involving a listed company sign an NDA for each such transaction; ❯ the fight against money laundering and the financing of terrorism (AML/CFT) is overseen by the Group Compliance Department. Entities implement applicable regulatory provisions and professional guidance in those of their procedures relevant to this field. The key points of the procedure include categorisation of the risks of money laundering and the financing of terrorism, collecting information on customers and the sources of their funds on the basis of the size of the risk, an automated detection system for people on asset ‑ freeze lists and politically ‑ exposed persons, a CRM profiling system for life/savings business activities, and a permanent and periodic control mechanism to check procedures are followed properly. An anti ‑ money laundering and combating the financing of terrorism organisational policy defines the roles and responsibilities of the various participants and stakeholders at Group level and at each operational entity concerned, describes the mechanism in place with respect to informing and training employees, determines the methods and conditions for exchanging information required for due diligence, and specifies the procedure to be followed for control and risk monitoring. The Group Compliance Department, in conjunction with a network of Managers in AML/CFT in insurance subsidiaries in France and internationally, asset ❯ legal and tax advice (taxation applicable to products and advice in the area of wealth management solutions); ❯ dealings with administrative authorities for inspections, and support during these inspections and any resulting consequences on the insurance business; ❯

303

Document d’Enregistrement Universel 2023 GROUPAMA ASSURANCES MUTUELLES