NEOPOST - 2018 Registration document

5

Non-financial performance statement

Social, societal and environmental information

Initiatives

Results

Network made up of 33 local experts led by the Group's information security officer • Analysis of security incidents, security performance and the progress of security-related • projects during monthly security reviews 3 companies within the Group are ISO 27001 certified (covering 9% of staff), two of • which also have ISO 27018 certification (cloud) and meet the OpenSAMM security standards 2 other entities are in the process of obtaining ISO 27001 certification • 30 penetration tests and technical audits carried out in 2018 covering both the mailing • business and Shipping (Packcity infrastructures) and Quadient (Inspire) digital solutions Implementation of the personal data protection policy and procedures that meet • the requirements of the regulation Roll-out of a global organization with a data protection officer at Group level (member of • the Group's executive Committee), from the regions to local level with coordinators present at each site Training provided to business units handling the personal data of our employees • and customers 2 compliance audits conducted at Neopost France and Neopost Ltd (United Kingdom). •

Organising a network of security officers at Group, business unit and site level

ISO 27001 certification programme

Program of internal audits on security and regular penetration testing on the Group's systems and applications

Personal data protection program complying with the GDPR

ISO 27001 certification program The Group is currently rolling out a certification program based on the ISO 27001 standard, primarily covering sites whose business is the development of software solutions, infrastructures and their support. In 2018, three units were ISO 27001 certified, two of which were also ISO 27018 certified, and two other companies were in the process of being certified. GDPR (1) compliance In addition, a personal data protection policy and procedures meeting the requirements of the European general data protection regulation (regulation 2016/679, known as GDPR) have been implemented under the responsibility of the Group Data Protection Officer, regional data officers and local correspondents. Among the actions already carried out, there are: the register of data processing that helps to map all the personal data as well as their modality of treatment and use, the addition of clauses in customers and suppliers’ contracts, the writing of a guide for marketing related to the consent of a potential customer or a customer of another Group entity. The Group also deployed an incident management procedure and provided a notice for its employees to explain the Group's obligations regarding the protection of their private data as well as their rights and duties. Training was given to those business units most at risk handling customers’ and staff’s personal data. The entire process must be audited to ensure it is operational and efficient. Two compliance audits were conducted this year at Neopost France and Neopost Ltd (United Kingdom). Responsible procurement The Group extends its CSR and ethics commitments to all its partners, who must comply with applicable laws and regulations, International Labour Organization conventions and its responsible procurement policy.

To this end, since 2016 the industrial partnership and procurement department, in collaboration with QHSE and CSR management, has rolled out its supplier Code of conduct and its responsible procurement policy across its entire range of manufacturing suppliers. The policy against modern slavery and human trafficking complements the measures taken by the Group to support Human Rights. Neopost seeks to establish mutually beneficial partnerships with its suppliers and to conduct business with them in a responsible, ethical and sustainable manner. The Group therefore endeavours to work only with partners who share its values and have similar ethical rules to its own. The Group is also committed to choosing its suppliers carefully, fairly and with integrity. They are selected using the established procurement strategy or by invitation to tender based on their ability to meet the Group’s requirements in terms of quality, price, service, reliability, technology, safety, the environment and ethics. The Group also endeavours not to create a situation of mutual dependence in terms of revenue, technology and know-how.

Responsible procurement

87,6% Of suppliers evaluated in 2018 comply with the requirements of the Group’s suppliers Code of Conduct

General Data Protection Regulation (1)

95

REGISTRATION DOCUMENT 2018 / NEOPOST