LEGRAND / 2018 Registration document

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

INTERNAL CONTROL AND RISK MANAGEMENT RISK FACTORS AND CONTROL MECHANISMS IN PLACE

3.6.3 – Reputational and compliance risks

R 3.6.3.1 PRODUCT QUALITYAND SAFETY See section 4.2.1.2 “Ensuring the safety of users of electrical equipment”. R 3.6.3.2 BUSINESS ETHICS See section 4.3.1 “Acting ethically”. R 3.6.3.3 BRAND AND REPUTATIONAL DAMAGE New technologies and growing communication via social media are increasing the risks to the Legrand Group’s image. They are leading to a much higher risk of the Group being exposed to criticism, fake news and negative messages, and they are speeding up the spread of such messages. This could damage the Group’s image among its stakeholders (employees, shareholders, customers, suppliers, etc.). To prevent this risk, a charter on individual use of social networks has been written for employees. In addition, monitoring, detection and reaction systems are in place: W The Group’s digital footprint is monitored by a Digital Dashboard, which logs websites and pages related to the Group’s activities. W Dedicated teams are in place within the Strategy Department, in charge of overseeing and monitoring activity on social media. W Response procedures are in place for addressing identified risks. R 3.6.3.4 PERSONAL DATA PROTECTION The Internet of Things (IoT) is leading to an increase in the volume of personal data to be processed. Such data could be used for fraudulent purposes or misappropriated, infringing users’ privacy and security. Given that there is a close link between utility, security and respect for users’ privacy, any leak, theft or loss of data could have a major impact on user confidence in Legrand’s products, and thus on the Group’s sales. The Group could also be sued for damages. Finally, with the entry into force of the EU General Data Protection Regulation (GDPR) in May 2018, the Group’s obligations regarding data processing and protection will increase, and it could be fined for failing to meet those obligations. Legrand undertakes to respect the privacy of its customers, partners, managers and employees, to protect their personal data, and to process that data in accordance with the applicable rules and laws.

To meet this commitment and fulfill its regulatory obligations, the Group has established a program involving specific governance, a dedicated team (a Data Privacy Officer and a network of Data Privacy Representatives in the Group’s countries) and several working groups. Legrand applies “Privacy by Design” principle, based on the ISO 27001 standard, when developing connected objects as part of the Eliot program. Security audits and regular intrusion tests are carried out by Legrand or by leading cybersecurity companies. These are conducted by simulating hacking throughout the process from development to marketing. Legrand also implements PIAs (Privacy Impact Assessments) across all its connected products, to measure and minimize the impact of personal data processing on users’ privacy. Finally, Legrand takes particular care in handling its employees’ data, and in 2016 introduced internal company rules for transfers of data outside Europe. R 3.6.3.5 EMPLOYMENT PRACTICES With commercial and industrial sites in nearly 90 countries, more than 38,000 employees worldwide and countless subcontractors and suppliers, Legrand could face situations in which the Group’s guidelines on working conditions and respect for human rights are not complied with, for employees of the Group and/or its subcontractors. In addition to the ethical concerns this raises, regulations are also changing, for example with French act no. 2017-399 of March 27, 2017 on the duty of care of parent companies and principal contractors. This law makes it compulsory to have a duty of care plan to identify risks and prevent violations of human rights and fundamental freedoms, or threats to health and safety and the environment. Failure to comply with this obligation could lead to penalties on the Company and corporate civil liability may be incurred. Moreover, apart from the financial and legal risks, non-compliance with these principles could have a major impact on the Group’s image with its stakeholders. The Group has already taken steps to prevent and limit these risks, since “Respecting human rights” and “Guaranteeing occupational health and safety” are two of the issues covered by the 2014-2018 CSR roadmap (see sections 4.4.1 and 4.4.2, respectively). The Group’s response as regards the duty of care plan is described in section 4.6 “Duty of care”. Detailed information on the systems and governance in place can also be found in these sections.

3

69

LEGRAND

REGISTRATION DOCUMENT 2018