Groupe La Poste // CSR REPORT 2022

Accelerating the digital transformation by ensuring ethics and digital security 4 FOSTERING ETHICAL, INCLUSIVE AND FRUGAL DIGITAL SERVICES ■

4.1 ACCELERATING THE DIGITAL TRANSFORMATION BY ENSURING ETHICS AND DIGITAL SECURITY 4.1.1 Data protection

■ universality : accept all players; ■ sustainability : continue to produce and maintain the service over the long term. 2. The Digital Ethics Committee within the Responsible Digital Committee was set up in January 2020. The CIOs of the business units and subsidiaries, as well as the group’s CSR and strategy officers, take part in it. A working group bringing together all business units has defined the ethical principles in terms of AI for La Poste Groupe. 3. The deployment of the data protection system is based on solid data governance that involves several functions, which are presented, as well as their roles and responsibilities, in the table below:

For La Poste Groupe, the confidentiality of employee, supplier, service provider and customer data is a prerequisite for the performance of its business activities. A pioneer in the responsible use and security of data, the group regularly updates its systems in order to manage this major issue, by relying on three complementary levers: its role as a trusted digital third party, its governance and its Data Charter. 1. The Consumer and Digital Services business unit, which, as a trusted digital third party , carries the values of robust governance and the Data Charter. ■ neutrality : do not interfere with the content of the discussion and treat all players in the same way;

Position

Duties

Data Protection Officer (DPO)

■ independently monitors compliance with personal data protection regulations within the group; ■ informs, raises awareness and advises employees on the implementation of personal data processing; ■ verifies compliance with the data protection regulations. ■ enhance La Poste’s data capital and supports the group’s transformation through data; ■ provide the communication and acculturation necessary for the group’s transformation; ■ lead the CDO Committee – which consists of the CDOs, the DPOs, the information system security managers, the ethics officer and the Communications Department – which meets three times a year. ■ supports the digital transformation; ■ guarantees the consistency and optimisation of the group’s information systems; ■ prepares the strategies and coordination for the group’s information systems. Decisions are taken by the group’s IS Committee, which is chaired by the General Secretary. ■ define, implement and ensure the smooth operation of the security management system for information systems at entity level; ■ contribute to the choice of technologies and infrastructures.

Chief Data Officer (CDO) and Data Artificial Intelligence (AI) division

Information Systems Department

Information system security managers All La Poste Groupe entities (business units, corporate structures, services to business units and subsidiaries) have an information system security manager.

Group Audit and Risk Department

■ analyses and monitors risks and internal control concerning GDPR compliance and the deployment of the Data Charter through regular audits within the business units. ■ ensures the declaration to the DPO of the processing of personal data carried out in his or her entity and ensures their compliance; ■ helps to raise awareness of and apply the personal data protection policy drawn up by the group.

Deputy DPO or French data protection authority officer (DPO relay body)

The compliance programme (1) covers several issues:

For more information, see also the “Personal data protection” section on page 91 of La Poste Groupe’s 2022 Universal Registration Document. The group’s governance of the General Data Protection Regulation (GDPR) is ensured by a bimonthly GDPR Steering Committee . An annual progress report on GDPR deployment is also presented to the Audit Committee of the Board of Directors.

■ organisational issues, with the setting up of a “data protection” organisation within the group, including, in particular, Deputy DPOs and French data protection authority officers in the various group entities; ■ IT issues, with the implementation of data protection from the design phase of projects (privacy by design) and the compliance of new and existing applications;

(1) For more information, see also Section 3.1.3 “Compliance, a lever for securing the group's long-term development” of La Poste Groupe’s Universal Registration Document.

62 CSR Report 2022/ LA POSTE GROUPE