Plastic Omnium // 2021 Universal Registration Document

NON-FINANCIAL REPORTING DISCLOSURE The risk management and non-financial reporting of the Group

subject to the General Data Protection Regulation (GDPR), relies on a dedicated organization: two internal Data Protection Officers (DPOs) steer GDPR compliance with the support of a network of correspondents in each country. This organization enables data protection principles to be incorporated into the management of new projects from the design phase (Privacy by design). In 2021, Plastic Omnium formalized its commitments in a Personal Data Protection Policy. Performance The development of the cybersecurity culture within the Group is a major stake in preventing this risk. For this reason, Plastic Omnium has rolled out a new cybersecurity training program for all its employees. This e-learning module, available in 17 languages, raises the awareness of attendees to the major cyber risks and reminds them of best practices to be implemented. In addition, the Group conducts regular phishing risk awareness campaigns. Phishing is a fraudulent technique intended to deceive the Internet user into communicating personal data (access accounts, passwords, etc.) and/or banking data by posing as a trusted third party. An exercise simulating a phishing attack was conducted with 1,300 employees in 2021. This type of exercise will be rolled out to all sites in the coming years. Cybersecurity challenges are taken into account at all stages of project development. A risk analysis is carried out from the project design phase (Security by design). When a new risk is identified, the risk mapping is updated as well as the roadmap and strategic cybersecurity plan. A quarterly Cybersecurity Committee oversees the plan to reduce these risks. As part of a continuous improvement approach, an internal system to assess the level of maturity of industrial sites is implemented. External audits are also carried out: in 2021, nine sites were certified or had their certifications renewed with TISAX – Trusted Information Security Assessment Exchange – the standard used in the automotive industry. Risk description Plastic Omnium products (fuel tanks, bumpers, etc.) are safety components subject to many standards and strict requirements to deliver complete satisfaction to direct customers and end-users. A quality or safety problem could have serious human or financial consequences and would permanently damage the Group’s reputation. Guaranteeing a quality product is a key issue for Plastic Omnium, reflected in the attention paid to all stages of the product life cycle: design, manufacturing, usage and end-of-life. Policies and procedures Product safety and quality are included in Plastic Omnium’s Code of Conduct and stated as a priority for all employees. The rules of conduct provide for ensuring both product compliance and health, safety and quality standard at every stage of manufacturing, from design to distribution. No production is authorized without the validation of the control systems by the quality teams. This is integrated into all of the Group’s projects. PRODUCT SAFETY AND QUALITY, 4.3.2.3 AND CUSTOMER SATISFACTION RISK

the Group publishes a list of its consolidated subsidiaries and provides ● the French tax authorities with a country-by-country tax report. The Tax Policy is approved by the Company's General Management, on the proposal of the Group Tax Department, which is responsible for implementing it, in collaboration with the local Finance Departments, under the supervision of the business lines. Performances The performance indicator, the Ethics Awareness Index, defined in 2019 as a marker for the ACT FOR ALL TM program. In 2021, the index was calculated based on the proportion of targeted employees who achieved a score of 80% or more in the Code of Conduct e-learning module during the year. The targeted employees are new hires and employees whose Code of Conduct online training was made available in their local language during the year. Thus, in 2021, the index was 89.5%. CYBER RISK IS CONTINUITY OF SERVICE – 4.3.2.2 DATA PROTECTION Risk description A cyber risk is defined as any risk of financial loss, business interruption or damage to the reputation of a company due to a failure of information technology systems. The digital transformation and digitalization of the business lines and activities results in an increase in the digitization of the processes and volume of data managed by the Company. This transformation, which has been further accelerated in recent years due to the health situation, must be accompanied by appropriate security of systems and data in order to protect Plastic Omnium from all IT attacks and cyber-attacks. Policies and procedures Within the IT Department, the Cyber Defense Department manages data protection and network security. Safety rules are formalized within an IT Security Policy as well as in a charter for the use of communication resources and IT tools to ensure the cooperation of all employees in the preservation of the Group’s IT systems. The ability to detect and deal with cybersecurity incidents is a priority. Investments are made every year to strengthen the Group’s cyber-resilience. Plastic Omnium has a Security Operating Center which detects and analyzes security events on IT systems. Each year, this Center is enhanced with new controls. After the formalization of a cyber crisis management process in 2020, the IT teams conducted a cyber crisis management simulation exercise in 2021. Plastic Omnium is involved in various associations such as CLUSIF (French IT Security Club), CESIN (Club of IT Security and Digital Experts) and CIGREF (IT Club for French Groups and Companies). These clubs bring together major French companies, including car manufacturers, and share information (latest attacks, exchange of best practices, new technologies, etc.). The ANSSI (French National Cybersecurity Agency) is also an important source of information to monitor and guard against new and emerging threats. The Group pays particular attention to the issues of personal data protection. In Europe, the protection of personal data,

4

161

PLASTIC OMNIUM UNIVERSAL REGISTRATION DOCUMENT 2021